Skip to main content

Loris

10 CVEs product

Monthly

CVE-2026-35446 HIGH PATCH This Week

Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.

Information Disclosure Path Traversal Loris
NVD GitHub
CVSS 3.1
7.7
EPSS
0.0%
CVE-2026-35403 MEDIUM PATCH This Month

Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.

XSS Loris
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-35400 LOW PATCH Monitor

LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated users with publication module access to forge emails appearing to originate from LORIS by submitting a malicious baseURL parameter in POST requests, enabling email spoofing attacks against external recipients. The vulnerability requires user interaction (email recipient click) and publication module privileges but could facilitate social engineering or phishing campaigns. Fixed in versions 27.0.3 and 28.0.1.

Information Disclosure Loris
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-35169 HIGH PATCH This Week

Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.

XSS Loris
NVD GitHub
CVSS 3.1
8.7
EPSS
0.0%
CVE-2026-35165 MEDIUM PATCH This Month

LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend endpoint, allowing authenticated users to bypass frontend restrictions and download files they should not have access to by knowing or brute-forcing filenames. CVSS 6.3 (medium severity) with confirmed patch availability in versions 27.0.3 and 28.0.1. No public exploit code or active exploitation confirmed.

Authentication Bypass Loris
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-34985 MEDIUM PATCH This Month

LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated users to bypass backend access controls in the media module and access files they should not have permission to view, provided they know the filename. The vulnerability stems from missing server-side authorization checks that should prevent unauthorized file access, enabling confidentiality and integrity compromise of sensitive neuroimaging research data. The issue is fixed in versions 27.0.3 and 28.0.1.

Authentication Bypass Loris
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-34392 HIGH PATCH This Week

Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticated remote attackers to download arbitrary files outside intended directories via malicious requests to static file router endpoints (/static, /css, /js). Vulnerability permits high-impact information disclosure including sensitive research data, configuration files, and potentially database credentials. No public exploit identified at time of analysis. Affects self-hosted LORIS installations across academic and clinical neuroimaging research environments.

Information Disclosure Path Traversal Loris
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-33350 HIGH PATCH This Week

SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote attackers to extract or modify database contents via the MRI feedback popup window in the imaging browser module. The vulnerability permits unauthorized access to sensitive neuroimaging research data and project management information without authentication. CVSS 7.5 (High severity) reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis.

SQLi Loris
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26985 HIGH This Week

Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configuration files containing hardcoded database and service credentials. An attacker with valid application access and appropriate permissions can leverage publicly available source code to easily craft requests that expose these sensitive files, potentially enabling lateral movement to backend systems. No patch is currently available for affected versions.

Path Traversal Loris
NVD GitHub
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-26984 HIGH This Week

Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass path traversal protections and upload malicious files to arbitrary server locations. An attacker can leverage the uploaded file to achieve code execution on the underlying system, though read-only server configurations may prevent actual execution. The vulnerability affects versions prior to 26.0.5, 27.0.2, and 28.0.0, with no patch currently available.

RCE Path Traversal Loris
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 7.7
HIGH PATCH This Week

Path traversal in LORIS neuroimaging research platform versions 24.0.0 through 27.0.2 and 28.0.0 allows authenticated attackers to bypass directory restrictions in FilesDownloadHandler, enabling unauthorized access to files outside intended download directories. The vulnerability exploits incorrect operation ordering during file access validation, permitting low-privileged authenticated users to exfiltrate sensitive neuroimaging data and project files across organizational boundaries. CVSS 7.7 severity reflects cross-scope confidentiality breach with network accessibility and low attack complexity. No public exploit identified at time of analysis.

Information Disclosure Path Traversal Loris
NVD GitHub
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Cross-site scripting (XSS) in LORIS survey_accounts module (versions 15.10 through 27.0.2 and 28.0.0) allows authenticated users with low privileges to inject malicious scripts via invalid visit labels. The vulnerability arises because responses are JSON-encoded but lack a proper Content-Type header, causing browsers to interpret the payload as HTML. An attacker can trick a victim into following a crafted link to execute arbitrary JavaScript in the victim's browser context, potentially compromising sensitive neuroimaging research data. Fixed in versions 27.0.3 and 28.0.1.

XSS Loris
NVD GitHub
EPSS 0% CVSS 3.5
LOW PATCH Monitor

LORIS (Longitudinal Online Research and Imaging System) versions 20.0.0 through 27.0.2 and 28.0.0 allow authenticated users with publication module access to forge emails appearing to originate from LORIS by submitting a malicious baseURL parameter in POST requests, enabling email spoofing attacks against external recipients. The vulnerability requires user interaction (email recipient click) and publication module privileges but could facilitate social engineering or phishing campaigns. Fixed in versions 27.0.3 and 28.0.1.

Information Disclosure Loris
NVD GitHub
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Reflected cross-site scripting and arbitrary markdown file download in LORIS help_editor module affects versions prior to 27.0.3 and 28.0.1. Improper input sanitization allows authenticated attackers with low privileges to execute malicious scripts in victim browsers (requiring user interaction) and exfiltrate markdown files from the server. Attack requires network access and social engineering to trick users into following crafted links. No public exploit identified at time of analysis.

XSS Loris
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

LORIS versions 21.0.0 through 27.0.2 and 28.0.0 suffer from broken access control in the document_repository backend endpoint, allowing authenticated users to bypass frontend restrictions and download files they should not have access to by knowing or brute-forcing filenames. CVSS 6.3 (medium severity) with confirmed patch availability in versions 27.0.3 and 28.0.1. No public exploit code or active exploitation confirmed.

Authentication Bypass Loris
NVD GitHub
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

LORIS (Longitudinal Online Research and Imaging System) versions 16.1.0 through 27.0.2 and 28.0.0 allow authenticated users to bypass backend access controls in the media module and access files they should not have permission to view, provided they know the filename. The vulnerability stems from missing server-side authorization checks that should prevent unauthorized file access, enabling confidentiality and integrity compromise of sensitive neuroimaging research data. The issue is fixed in versions 27.0.3 and 28.0.1.

Authentication Bypass Loris
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Path traversal in LORIS neuroimaging research platform (versions 20.0.0 through 27.0.2 and 28.0.0) enables unauthenticated remote attackers to download arbitrary files outside intended directories via malicious requests to static file router endpoints (/static, /css, /js). Vulnerability permits high-impact information disclosure including sensitive research data, configuration files, and potentially database credentials. No public exploit identified at time of analysis. Affects self-hosted LORIS installations across academic and clinical neuroimaging research environments.

Information Disclosure Path Traversal Loris
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

SQL injection in LORIS neuroimaging research platform versions prior to 27.0.3 and 28.0.1 enables unauthenticated remote attackers to extract or modify database contents via the MRI feedback popup window in the imaging browser module. The vulnerability permits unauthorized access to sensitive neuroimaging research data and project management information without authentication. CVSS 7.5 (High severity) reflects network-accessible attack vector with low complexity. No public exploit identified at time of analysis.

SQLi Loris
NVD GitHub
EPSS 0% CVSS 8.1
HIGH This Week

Authenticated users in LORIS 24.0.0 through 28.0.0 can exploit a path traversal vulnerability to read arbitrary configuration files containing hardcoded database and service credentials. An attacker with valid application access and appropriate permissions can leverage publicly available source code to easily craft requests that expose these sensitive files, potentially enabling lateral movement to backend systems. No patch is currently available for affected versions.

Path Traversal Loris
NVD GitHub
EPSS 0% CVSS 8.8
HIGH This Week

Remote code execution in LORIS neuroimaging platform allows authenticated users with sufficient privileges to bypass path traversal protections and upload malicious files to arbitrary server locations. An attacker can leverage the uploaded file to achieve code execution on the underlying system, though read-only server configurations may prevent actual execution. The vulnerability affects versions prior to 26.0.5, 27.0.2, and 28.0.0, with no patch currently available.

RCE Path Traversal Loris
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy