Severity by source
AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This could result in a theoretical attacker with publication module access forging an email to an external domain under the attacker's control which appeared to come from LORIS. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated users with publication module access to forge emails appearing to originate from LORIS by submitting a malicious baseURL parameter in POST requests, enabling email spoofing attacks against external recipients. The vulnerability requires user interaction (email recipient click) and publication module privileges but could facilitate social engineering or phishing campaigns. Fixed in versions 27.0.3 and 28.0.1.
Technical ContextAI
LORIS is a self-hosted neuroimaging research data management platform. The vulnerability exists in the publication module's email generation endpoint, which fails to validate and sanitize the baseURL parameter submitted by users in POST requests. Instead of using the internally-configured LORIS baseURL value (which represents the legitimate server domain), the application trusts user-supplied input to construct email content. This violates the principle of trusting only authoritative internal configuration sources for security-critical values like email sender domains. The root cause is improper input validation and reliance on untrusted user input (CWE-59: Improper Link Resolution Before File Access, though more accurately CWE-20: Improper Input Validation) for constructing email headers and content that should derive exclusively from server configuration.
RemediationAI
Upgrade LORIS to version 27.0.3 or later if running the 27.x branch, or upgrade to version 28.0.1 or later if running the 28.x branch. Organizations unable to upgrade immediately should restrict publication module access to trusted internal staff only and monitor email logs for anomalous baseURL parameters in POST requests to publication endpoints. Security advisory details are available at https://github.com/aces/Loris/security/advisories/GHSA-6prw-34x8-3gpg. Review access controls for the publication module to limit exposure to users who have legitimate need for that functionality.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior t
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated at
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticat
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated us
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend end
Same weakness CWE-59 – Improper Link Resolution Before File Access
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20576