Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.
Published: 2026-04-08
Score: 3.5 Low
EPSS: < 1% Very Low
KEV: No
Impact: Email spoofing via forged baseURL
Action: Patch immediately
AI Analysis

Impact

The publication module in the web application accepts a user‑supplied baseURL from a POST request instead of the internally configured value. This flaw allows an attacker with access to the publication module to direct automated emails to an external domain of the attacker’s choosing. The resulting emails will appear to originate from the application, enabling phishing or social‑engineering attacks against internal users. The weakness corresponds to CWE‑59, where untrusted input influences address resolution.

Affected Systems

LORIS versions from 20.0.0 up to, but not including, 27.0.3 and the 28.0.0 release are vulnerable. The fix is available in 27.0.3 and in 28.0.1 and later releases.

Risk and Exploitability

The CVSS score of 3.5 indicates low severity, and no EPSS data is available; the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires that an attacker first obtain authenticated access to the publication module, which typically means having valid user credentials or the ability to create a publication. Once such access is achieved, the attacker can modify the baseURL to send spoofed emails. The risk is confined to environments where users trust emails sent from the application; exploitation without user interaction is unlikely, but the potential for phishing remains.

Generated by OpenCVE AI on April 8, 2026 at 21:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify your LORIS installation falls between 20.0.0 and 27.0.2 or is exactly 28.0.0 to determine if it is vulnerable.
  • Upgrade to LORIS 27.0.3 or later, or to 28.0.1 and newer, where the baseURL validation bug is fixed.
  • If an upgrade cannot be performed immediately, restrict publication module access to trusted users only and monitor outbound SMTP traffic for any messages that appear to originate from LORIS but are directed to unknown domains.
  • Periodically review outbound email logs for anomalous domains or spoofed sender addresses.
  • Provide staff training on recognizing phishing emails that appear to originate from the application.

Generated by OpenCVE AI on April 8, 2026 at 21:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title LORIS incorrectly trusts user input in publication module
Weaknesses CWE-59
References
Metrics cvssV3_1

{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Aces Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:52:33.071Z

Reserved: 2026-04-02T17:03:42.074Z

Link: CVE-2026-35400

cve-icon Vulnrichment

Updated: 2026-04-08T19:52:30.410Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:23.590

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-35400

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:48Z

Weaknesses