CVE-2026-35169

Name of the Vulnerable Software and Affected Versions LORIS versions prior to 27.0.3 and version 28.0.1

Description The LORIS application does not properly sanitize user-supplied variables within the help editor module, potentially leading to a reflected cross-site scripting attack if a user is tricked into following a malicious link. This could also allow an attacker to download arbitrary markdown files from an unpatched server.

Recommendations Update to version 27.0.3 or 28.0.1