CVE-2026-35403 MEDIUM

CVE-2026-35403: LORIS has potential cross-site scripting in survey_accounts module

Vendor Aces
Product Loris
Weakness CWE-79 · XSS
Published April 8, 2026
Last update April 10, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N

What the vulnerability does

01Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properly JSON encoded, the Content-Type header is not set causing the web browser to interpret the payload as HTML, opening the possibility of a cross-site scripting if a user is tricked into following an invalid link. This vulnerability is fixed in 27.0.3 and 28.0.1.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 10, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-22354 WordPress Digi Store theme <= 1.1.4 - Cross Site Scripting (XSS) vulnerability CVE-2024-51852 WordPress Dynamic Post Grid Elementor Addon plugin <= 1.0.6 - Cross Site Scripting (XSS) vulnerability CVE-2023-41731 WordPress wordpress publish post email notification Plugin <= 1.0.2.2 is vulnerable to Cross Site Scripting (XSS) CVE-2025-26913 WordPress AR for WordPress plugin <= 7.7 - Cross Site Scripting (XSS) vulnerability CVE-2025-23833 WordPress Links/Problem Reporter plugin <= 2.6.0 - Cross Site Scripting (XSS) vulnerability