Skip to main content

Loris EUVDEUVD-2026-20557

| CVE-2026-34392 HIGH
Files or Directories Accessible to External Parties (CWE-552)
2026-04-08 GitHub_M
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:52 vuln.today
cvss_changed
Analysis Updated
Apr 16, 2026 - 06:01 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
28.0.1,27.0.3
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20557
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 17:57 nvd
HIGH 7.5

DescriptionGitHub Advisory

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.

AnalysisAI

Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticated remote attackers to download arbitrary files outside intended directories via malicious requests to static file router endpoints (/static, /css, /js). Vulnerability permits high-impact information disclosure including sensitive research data, configuration files, and potentially database credentials. No public exploit identified at time of analysis. Affects self-hosted LORIS installations across academic and clinical neuroimaging research environments.

Technical ContextAI

Directory traversal flaw in static file routing logic fails to sanitize path parameters, allowing '../' sequences to escape document root boundaries. CWE-552 (externally accessible file/directory) combined with absent input validation on file path construction. CVSS vector PR:N confirms unauthenticated exploitation over network without user interaction.

RemediationAI

Vendor-released patch: upgrade immediately to LORIS 27.0.3 (for 27.x branch) or 28.0.1 (for 28.x branch). Both versions contain corrected static file router logic with path validation. No workaround available for unpatched versions; vulnerability resides in core routing component requiring code-level fix. Organizations unable to upgrade immediately should restrict network access to LORIS instances via firewall rules limiting exposure to trusted IP ranges. Review web server access logs for suspicious requests containing traversal sequences (../ or URL-encoded equivalents) targeting /static, /css, /js endpoints. Full advisory and patch details: https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f

Share

EUVD-2026-20557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy