CVE-2026-26984

Name of the Vulnerable Software and Affected Versions LORIS versions prior to 26.0.5 LORIS versions prior to 27.0.2 LORIS versions prior to 28.0.0

Description LORIS is a self-hosted web application used for data and project management in neuroimaging research. An authenticated user with sufficient privileges can exploit a path traversal flaw to upload a malicious file to an arbitrary location on the server. Successful exploitation could lead to remote code execution (RCE). If the server is configured as read-only, RCE is not possible, but malicious file upload may still be achievable. The issue involves the ability to upload files via a path traversal, potentially impacting the server's integrity.

Recommendations Update LORIS to version 26.0.5 or later. Update LORIS to version 27.0.2 or later. Update LORIS to version 28.0.0 or later. If the media module is not in use, disable it as a workaround.