Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.
Technical ContextAI
CWE-552 (Files or Directories Accessible to External Parties) manifests through operation-ordering flaw in FilesDownloadHandler class. Authentication requirement (PR:L) indicates low-privileged user exploitation. Cross-scope impact (S:C) suggests access beyond user's assigned research projects. Root cause lies in premature path resolution before security boundary enforcement, enabling classic directory escape sequences.
RemediationAI
Vendor-released patches: upgrade to LORIS 27.0.3 or 28.0.1, which correct the operation sequence in FilesDownloadHandler to validate path boundaries before file access. For version 27.x deployments, apply 27.0.3; for version 28.x, apply 28.0.1. Installations on unsupported 24.x-26.x branches must migrate to supported release train. No effective workaround exists without code modification; file download functionality cannot be safely disabled without breaking core research workflows. Verify patch application by testing directory traversal sequences (../, absolute paths) are rejected post-upgrade. Official security advisory with detailed remediation steps: https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior t
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticat
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated us
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend end
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated us
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20580