Severity by source
AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:L/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properly JSON encoded, the Content-Type header is not set causing the web browser to interpret the payload as HTML, opening the possibility of a cross-site scripting if a user is tricked into following an invalid link. This vulnerability is fixed in 27.0.3 and 28.0.1.
AnalysisAI
Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.
Technical ContextAI
LORIS is a self-hosted research data management platform for longitudinal neuroimaging studies. The survey_accounts module processes visit label inputs from authenticated users. The root cause (CWE-79: Improper Neutralization of Input During Web Page Generation) stems from a Content-Type header misconfiguration rather than inadequate output encoding. While JSON data itself is properly encoded, the missing or incorrect Content-Type header (likely text/html instead of application/json) causes the browser's MIME-sniffing behavior to interpret the response as HTML rather than structured data, allowing embedded scripts to execute. The vulnerability requires an authenticated user (PR:L) and user interaction (UI:R), limiting the attack surface to research team members with valid credentials who can be socially engineered.
RemediationAI
Vendor-released patches are available: LORIS 27.0.3 and 28.0.1 or later. Users running affected versions should upgrade immediately to either the 27.0.3 release (if on the 27.x branch) or 28.0.1 (if on the 28.x branch). The patch corrects the Content-Type header handling in the survey_accounts module to ensure responses are properly labeled as application/json, preventing browser MIME-sniffing attacks. No workarounds are documented; patching is the primary remediation. Refer to the GitHub Security Advisory at https://github.com/aces/Loris/security/advisories/GHSA-776p-5pwh-vc8p for detailed upgrade instructions and rollout guidance.
Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass pat
Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior t
Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configur
Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated at
SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote
Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticat
LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated us
LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend end
LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated us
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20578