Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote attackers to extract or modify database contents via the MRI feedback popup window in the imaging browser module. The vulnerability permits unauthorized access to sensitive neuroimaging research data and project management information without authentication. CVSS 7.5 (High severity) reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis.
Technical ContextAI
Unsafe SQL query construction in MRI feedback popup code allows direct database query manipulation. CWE-89 SQL injection stems from inadequate input sanitization in imaging browser's feedback window handler. Attack requires no authentication (PR:N) and exploits LORIS's web application tier to bypass database access controls.
RemediationAI
Vendor-released patch: upgrade to LORIS version 27.0.3 (for 27.x deployments) or 28.0.1 (for 28.x deployments). These releases implement parameterized queries and input validation to prevent SQL injection in the MRI feedback popup. No workarounds exist; upgrade is mandatory. Installations using affected versions should audit database access logs for suspicious query patterns prior to patching. Consult official security advisory for upgrade procedures: https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh. Post-upgrade, verify imaging browser MRI feedback functionality operates normally without SQL injection risk.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior t
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated at
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticat
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated us
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend end
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated us
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20552