CVE-2026-35403
Cross-Site Scripting in LORIS Survey_Accounts Module
Publication date: 2026-04-08
Last updated on: 2026-04-21
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcgill | loris | 28.0.0 |
| mcgill | loris | From 15.10 (inc) to 27.0.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows for cross-site scripting (XSS) attacks that can lead to unauthorized access to confidential data, as indicated by the high confidentiality impact in the CVSS assessment.
Such unauthorized data access could potentially violate data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized disclosure.
However, the provided information does not explicitly mention compliance impacts or specific regulatory consequences.
Can you explain this vulnerability to me?
CVE-2026-35403 is a cross-site scripting (XSS) vulnerability found in the survey_accounts module of the LORIS web application versions from 15.10 up to 27.0.2 and 28.0.0.
The issue occurs when a user provides an invalid visit label. Although the input data is properly JSON encoded, the HTTP response does not include the "Content-Type: application/json; charset=utf-8" header.
Because of the missing content-type header, web browsers may interpret the response as HTML instead of JSON, which allows an attacker to execute malicious scripts if a user is tricked into clicking a specially crafted invalid link.
This vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and was fixed by adding the correct content-type header in later versions.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform a cross-site scripting attack by tricking a user into following a malicious link containing an invalid visit label.
The impact includes unauthorized access to sensitive data (high confidentiality impact) because the attacker can execute scripts in the context of the victim's browser.
The integrity impact is low, meaning limited ability to modify data, and there is no impact on availability.
Exploitation requires network access, low privileges, and user interaction (the victim must click the malicious link).
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your LORIS installation is running a vulnerable version (from 15.10 up to 27.0.2 and 28.0.0) and if the survey_accounts module is enabled.
You can test for the vulnerability by sending a request with an invalid visit label to the survey_accounts module and observing the HTTP response headers.
Specifically, you can use curl or similar tools to check if the Content-Type header is missing or not set to 'application/json; charset=utf-8'. For example:
- curl -i -X POST 'http://your-loris-instance/modules/survey_accounts/ajax/ValidateEmailSubmitInput.php' -d 'visit_label=invalid_label'
If the response does not include the header 'Content-Type: application/json; charset=utf-8', the system is likely vulnerable to this XSS issue.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps include:
- Upgrade LORIS to version 27.0.3 or 28.0.1 or later, where the vulnerability is fixed by adding the correct Content-Type header.
- If upgrading is not immediately possible, disable the survey_accounts module if it is not in use to prevent exposure.
- Avoid clicking or following suspicious or untrusted links that may contain crafted invalid visit labels.