CVE-2026-35169 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: April 8, 2026
LORIS - Reflected XSS
Published: April 8, 2026Updated: April 8, 2026Remote Exploitable
Overview
LORIS < 27.0.3 and < 28.0.1 contains a reflected cross-site scripting caused by improper sanitization of user-supplied variables in the help_editor module, letting attackers execute scripts or download arbitrary markdown files, exploit requires user to follow a crafted link.
Severity & Score
Severity: High
CVSS Score: 8.7
Impact
Attackers can execute scripts in users' browsers or download arbitrary markdown files, potentially leading to data exposure or session compromise.
Mitigation
Update to version 27.0.3 or 28.0.1.
Related Resources
Details
- CVE ID
- CVE-2026-35169
- Severity
- High
- CVSS Score
- 8.7
- Type
- reflected_xss
- Status
- unconfirmed
CWE
- CWE-79
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N