Is this vulnerability remotely exploitable?

Yes. An attacker can exploit it remotely by sending crafted URLs to users who can access the LORIS application. If a victim follows the link in a browser, the reflected XSS payload can run, and the file download path can be triggered without additional local access.

Does an attacker need authentication to exploit this issue?

The ability to send a link does not require authentication, but the impact depends on the victim's session. If the victim is authenticated to LORIS, the attacker's script executes with that user's privileges. For file downloads, network access to the LORIS web interface is required; exposure severity may increase if the instance is internet-accessible.

What is the safest general fix pattern for developers?

The strongest pattern is to enforce strict output encoding for all user-supplied data in templates, combined with centralized, whitelist-based file-serving APIs that control which resources can be accessed. Avoid direct use of raw request parameters in HTML or file path construction.

Severity:

HIGH RISK

(8.7)

Reflected XSS and Arbitrary File Download (CWE-79, CWE-552) in LORIS help_editor Module

CVE-2026-35169

Published:

Apr 8, 2026

Status:

Undergoing Analysis

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

Remote Code Execution on the Router

April 12, 2026

CWE-77;CWE-78

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Remote Code Execution on the Router

April 12, 2026

Vulnerability Type

Category:

Cross-Site Scripting and Insecure Direct Object Access

CWE:

CWE-79;CWE-552

Impact:

Reflected XSS and Unauthorized File Access

Severity:

HIGH RISK

(8.7)

CVSS Version:

3.1

Vulnerability Type

Category:

Cross-Site Scripting and Insecure Direct Object Access

CWE:

CWE-79;CWE-552

Impact:

Reflected XSS and Unauthorized File Access

Severity:

HIGH RISK

(8.7)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

START 14 DAYS FREE TRIAL

BOOK A DEMO

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Made with Love in San Francisco

355 Bryant St. San Francisco, CA 94107, USA

Ask AI for summary of CodeAnt

Reflected XSS and Arbitrary File Download (CWE-79, CWE-552) in LORIS help_editor Module

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI Handler setAccessDeviceCfg

CRITICAL RISK

CRITICAL

(9.8)

OS Command Injection (CWE-78) in Totolink A7100RU CGI setLedCfg Handler

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare

Product

Pricing

Company

Legal

Developers

Compare