CVE-2026-35403

Name of the Vulnerable Software and Affected Versions LORIS versions 15.10 through 27.0.2 and 28.0.1

Description LORIS, a self-hosted web application for neuroimaging research data and project management, has a potential for a cross-site scripting (XSS) attack in the survey accounts module. This occurs when a user provides an invalid visit label. The system properly JSON encodes the data, but fails to set the Content-Type header, causing the web browser to interpret the payload as HTML. This can lead to XSS if a user is tricked into following a malicious link.

Recommendations Update to version 27.0.3 or 28.0.1