CVE-2026-35165

Name of the Vulnerable Software and Affected Versions LORIS versions 21.0.0 through 27.0.2 and 28.0.0

Description LORIS is a self-hosted web application for neuroimaging research data and project management. A flaw exists where the backend endpoint did not properly verify file access permissions while the frontend was restricting access. This could allow a user to download files they are not authorized to access if they know or can determine the filename.

Recommendations Update to version 27.0.3 or 28.0.1