Primary

Context

LORIS Email Forgery Vulnerability in Publication Module

Vulnerability

A vulnerability exists in the LORIS web application, specifically in the publication module, versions 20.0.0 prior to 27.0.3 and 28.0.0. The issue arises because an endpoint in the publication module improperly trusts the baseURL provided by users in POST requests, instead of using the internal LORIS value. This flaw could allow an attacker with access to the publication module to forge an email to an external domain they control, making it appear as if it originated from LORIS.

Impact

Exploitation of this vulnerability could lead to unauthorized email forgery, allowing attackers to send emails from LORIS to external domains under their control.

Remediation

Users can update to LORIS versions 27.0.3 or 28.0.1 to address this vulnerability. Alternatively, projects not using the publication module can disable it in LORIS.

Added: Apr 8, 2026, 7:57 PM

Updated: Apr 8, 2026, 7:57 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

0.0

relevance

5.5

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LORIS Email Forgery Vulnerability in Publication Module

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating