CVE-2026-35400

Name of the Vulnerable Software and Affected Versions LORIS versions 20.0.0 through 27.0.2 and 28.0.0

Description The LORIS application incorrectly trusts the baseURL submitted by a user's POST request instead of its internal value within the publication module. This could allow an attacker with publication module access to forge an email appearing to originate from LORIS, directing it to a domain controlled by the attacker.

Recommendations Update to version 27.0.3 or 28.0.1