Skip to main content

Loris EUVDEUVD-2026-20552

| CVE-2026-33350 HIGH
SQL Injection (CWE-89)
2026-04-08 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
27.0.3,28.0.1
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20552
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 17:47 nvd
HIGH 7.5

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote attackers to extract or modify database contents via the MRI feedback popup window in the imaging browser module. The vulnerability permits unauthorized access to sensitive neuroimaging research data and project management information without authentication. CVSS 7.5 (High severity) reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis.

Technical ContextAI

Unsafe SQL query construction in MRI feedback popup code allows direct database query manipulation. CWE-89 SQL injection stems from inadequate input sanitization in imaging browser's feedback window handler. Attack requires no authentication (PR:N) and exploits LORIS's web application tier to bypass database access controls.

RemediationAI

Vendor-released patch: upgrade to LORIS version 27.0.3 (for 27.x deployments) or 28.0.1 (for 28.x deployments). These releases implement parameterized queries and input validation to prevent SQL injection in the MRI feedback popup. No workarounds exist; upgrade is mandatory. Installations using affected versions should audit database access logs for suspicious query patterns prior to patching. Consult official security advisory for upgrade procedures: https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh. Post-upgrade, verify imaging browser MRI feedback functionality operates normally without SQL injection risk.

Share

EUVD-2026-20552 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy