CVE-2026-35403— LORIS has potential cross-site scripting in survey_accounts module

CVSS 6.5 · Medium EPSS 0.04% · P11 Updated Apr 12, 2026

Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-35403

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title

LORIS has potential cross-site scripting in survey_accounts module

Source: NVD (National Vulnerability Database)

Vulnerability Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properly JSON encoded, the Content-Type header is not set causing the web browser to interpret the payload as HTML, opening the possibility of a cross-site scripting if a user is tricked into following an invalid link. This vulnerability is fixed in 27.0.3 and 28.0.1.

Source: NVD (National Vulnerability Database)

CVSS Information

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

Source: NVD (National Vulnerability Database)

Vulnerability Type

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

Source: NVD (National Vulnerability Database)

Vulnerability Title

LORIS Neuroimaging Platform 跨站脚本漏洞

Source: CNNVD (China National Vulnerability Database)

Vulnerability Description

LORIS Neuroimaging Platform是ACElab开源的一个神经影像平台。 LORIS Neuroimaging Platform 15.10至27.0.3之前版本和28.0.1之前版本存在跨站脚本漏洞，该漏洞源于survey_accounts模块未设置Content-Type标头，可能导致跨站脚本攻击。

Source: CNNVD (China National Vulnerability Database)

CVSS Information

N/A

Source: CNNVD (China National Vulnerability Database)

Vulnerability Type

N/A

Source: CNNVD (China National Vulnerability Database)

Affected Products

Vendor	Product	Affected Versions	CPE	Subscribe
aces	Loris	>= 15.10, < 27.0.3	-

II. Public POCs for CVE-2026-35403

#	POC Description	Source Link	Shenlong Link

AI-Generated POCPremium

No public POC found.

III. Intelligence Information for CVE-2026-35403

请登录查看更多情报信息。

Same Patch Batch · aces · 2026-04-08 · 8 CVEs total

CVE-2026-35169	8.7 HIGH	LORIS has potential cross-site scripting in help_editor module
CVE-2026-35446	7.7 HIGH	LORIS has a path traversal in FilesDownloadHandler
CVE-2026-34392	7.5 HIGH	LORIS has a path traversal in static router
CVE-2026-33350	7.5 HIGH	LORIS has a SQL injection in MRI feedback popup
CVE-2026-35165	6.3 MEDIUM	LORIS has incorrect access checks in document_repository
CVE-2026-34985	6.3 MEDIUM	LORIS has incorrect access checks in media module
CVE-2026-35400	3.5 LOW	LORIS incorrectly trusts user input in publication module

IV. Related Vulnerabilities

Same product: Loris

Same vendor: aces

Same weakness: CWE-79

V. Comments for CVE-2026-35403

No comments yet

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-35403— LORIS has potential cross-site scripting in survey_accounts module

I. Basic Information for CVE-2026-35403

Vulnerability Information

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Vulnerability Title

Vulnerability Description

CVSS Information

Vulnerability Type

Affected Products

II. Public POCs for CVE-2026-35403

III. Intelligence Information for CVE-2026-35403

Same Patch Batch · aces · 2026-04-08 · 8 CVEs total

IV. Related Vulnerabilities

V. Comments for CVE-2026-35403

Leave a comment