PT-2026-31414 · Loris · Loris
Published
2026-04-08
·
Updated
2026-04-09
·
CVE-2026-34392
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
LORIS versions 20.0.0 through 27.0.2 and 28.0.0
Description
A flaw exists in the static file router of LORIS, a web application for neuroimaging research data management. This issue allows an attacker to access files outside the intended directories by exploiting the static, css, and js API endpoints. The vulnerability is due to insufficient path validation, potentially leading to unintended file downloads.
Recommendations
Update to version 27.0.3 or 28.0.1
Fix
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Loris