CVE-2026-35169— LORIS Neuroimaging Platform 安全漏洞

LORIS has potential cross-site scripting in help_editor module

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

LORIS Neuroimaging Platform 安全漏洞

LORIS Neuroimaging Platform是ACElab开源的一个神经影像平台。 LORIS Neuroimaging Platform 27.0.3之前版本和28.0.1之前版本存在安全漏洞，该漏洞源于help_editor模块未正确清理用户输入，可能导致反射型跨站脚本攻击或下载任意markdown文件。

N/A

N/A