Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Lifecycle Timeline
7DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user is tricked into following an invalid link. The same input vector could also allow an attacker to download arbitrary markdown files on an unpatched server. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.
Technical ContextAI
CWE-79 reflected XSS stems from insufficient input validation in help_editor module user-supplied variables. Dual exploitation path: malicious payloads reflect into HTML responses causing script execution, while same injection vector enables path traversal to retrieve arbitrary markdown files. CVSS vector PR:L indicates authenticated context; UI:R confirms social engineering dependency. Scope change (S:C) reflects cross-domain impact potential.
RemediationAI
Vendor-released patches: upgrade to LORIS version 27.0.3 for 27.x deployments or 28.0.1 for 28.x deployments, which implement proper input sanitization in the help_editor module. Consult the official security advisory at https://github.com/aces/Loris/security/advisories/GHSA-j2p3-58m2-v6q3 for upgrade instructions and additional context. If immediate patching is not feasible, restrict access to the help_editor module to only trusted administrative users, implement web application firewall rules to detect reflected XSS patterns in help_editor parameters, and audit markdown file permissions to prevent unauthorized access. Deploy Content Security Policy headers to mitigate XSS execution impact as a defense-in-depth measure.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated at
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticat
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated us
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend end
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated us
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20574