Is this vulnerability remotely exploitable?

Yes. An attacker can exploit it remotely by sending crafted URLs to users who can access the LORIS application. If a victim follows the link in a browser, the reflected XSS payload can run, and the file download path can be triggered without additional local access.

Does an attacker need authentication to exploit this issue?

The ability to send a link does not require authentication, but the impact depends on the victim's session. If the victim is authenticated to LORIS, the attacker's script executes with that user's privileges. For file downloads, network access to the LORIS web interface is required; exposure severity may increase if the instance is internet-accessible.

What is the safest general fix pattern for developers?

The strongest pattern is to enforce strict output encoding for all user-supplied data in templates, combined with centralized, whitelist-based file-serving APIs that control which resources can be accessed. Avoid direct use of raw request parameters in HTML or file path construction.

Severity:

HIGH RISK

(8.7)

Reflected XSS and Arbitrary File Download (CWE-79, CWE-552) in LORIS help_editor Module

CVE-2026-35169

Published:

Apr 8, 2026

Status:

Analyzed

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

NDV

Recent Vulnerabilities

CWE-94

HIGH RISK

HIGH

(8.8)

PHP Code Injection via File Upload (CWE-94) in Aero CMS Admin Post Creation

Remote Code Execution by authenticated users via malicious file upload

May 10, 2026

CWE-94

HIGH RISK

HIGH

(8.8)

Code Injection (CWE-94) via Module Parameters in Evolution CMS

Remote Code Execution by Authenticated Users

May 10, 2026

Vulnerability Type

Category:

Cross-Site Scripting and Insecure Direct Object Access

CWE:

CWE-79;CWE-552

Impact:

Reflected XSS and Unauthorized File Access

Severity:

HIGH RISK

(8.7)

CVSS Version:

3.1

Vulnerability Type

Category:

Cross-Site Scripting and Insecure Direct Object Access

CWE:

CWE-79;CWE-552

Impact:

Reflected XSS and Unauthorized File Access

Severity:

HIGH RISK

(8.7)

CVSS Version:

3.1

Catch This CVE While Code Is Being Written

Detect vulnerable code directly in pull requests, so CVEs are fixed before merge.

Get Started

Ship clean & secure code faster

Start Free Trial

Get Pentest Report

Ship clean & secure code faster

Start Free Trial

Get Pentest Report

Ship clean & secure code faster

Start Free Trial

Get Pentest Report

CodeAnt AI is an offensive and defensive security platform.

Defensive + offensive security.

From first line of code to a pentest
that knows every line of it.

SOC 2 Type II certified | CodeAnt AI is independently audited and compliant with SOC 2 Type II security standards

Ask AI for summary of CodeAnt

Defensive + offensive security.

From first line of code to a pentest that knows every line of it.

Ask AI for summary of CodeAnt

Defensive + offensive security.

From first line of code to a pentest that knows every line of it.

Ask AI for summary of CodeAnt

Reflected XSS and Arbitrary File Download (CWE-79, CWE-552) in LORIS help_editor Module

Summary

Affected Context

Exploit Preconditions

Why This Happens

Potential Impact

General Mitigation Guidance

How Teams Detect Issues Like This

Frequently Asked Questions

Source

Recent Vulnerabilities

HIGH RISK

HIGH

(8.8)

PHP Code Injection via File Upload (CWE-94) in Aero CMS Admin Post Creation

HIGH RISK

HIGH

(8.8)

Code Injection (CWE-94) via Module Parameters in Evolution CMS

Vulnerability Type

Vulnerability Type

Vulnerability Type

Catch This CVE While Code Is Being Written

Ship clean & secure code faster

Ship clean & secure code faster

Ship clean & secure code faster

Product

Compare

Company

Developers

Legal

Product

Compare

Company

Developers

Legal

Product

Compare

Company

Developers

Legal