PT-2026-31430 · Loris · Loris
Published
2026-04-08
·
Updated
2026-04-08
·
CVE-2026-35446
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
LORIS versions 24.0.0 through 27.0.2 and 28.0.0
Description
LORIS is a self-hosted web application used for data and project management in neuroimaging research. An incorrect order of operations within the FilesDownloadHandler could allow an attacker to escape intended download directories.
Recommendations
Update to version 27.0.3 or 28.0.1.
Fix
Files Accessible to External Parties
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Loris