CVE-2026-26985

Name of the Vulnerable Software and Affected Versions LORIS versions prior to 26.0.5 LORIS versions prior to 27.0.2 LORIS versions prior to 28.0.0

Description LORIS is a self-hosted web application used for data and project management in neuroimaging research. An authenticated user with appropriate authorization can read server configuration files through a path traversal issue. These files may contain hard-coded credentials that could be reused for authentication to the database or other services. The application source code is publicly available, and the issue is considered easy to exploit. The vulnerability allows access to configuration files containing hard-coded credentials.

Recommendations LORIS versions prior to 26.0.5 should be updated to version 26.0.5 or later. LORIS versions prior to 27.0.2 should be updated to version 27.0.2 or later. LORIS versions prior to 28.0.0 should be updated to version 28.0.0 or later. As a workaround, an administrator can disable the electrophysiology browser module using the module manager.