Skip to main content

Open Redirect CVE-2026-39985

| EUVD-2026-20978 MEDIUM
URL Redirection to Untrusted Site (Open Redirect) (CWE-601)
2026-04-09 GitHub_M
Open Redirect
4.3
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 09, 2026 - 17:45 euvd
EUVD-2026-20978
Analysis Generated
Apr 09, 2026 - 17:45 vuln.today
CVE Published
Apr 09, 2026 - 17:08 nvd
MEDIUM 4.3

DescriptionNVD

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

Open redirect vulnerability in LORIS (Longitudinal Online Research and Imaging System) versions prior to 27.0.3 and 28.0.1 allows unauthenticated remote attackers to redirect authenticated users to arbitrary external websites via a malicious redirect parameter during login. The vulnerability requires user interaction (clicking a crafted link) but poses a meaningful phishing risk in neuroimaging research environments where LORIS deployments are common. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-39985 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy