CVE-2026-35446

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759	Patch Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:mcgill:loris::::::::
	cpe:2.3:a:mcgill:loris:28.0.0:::::::*

History

21 Apr 2026, 20:04

Type	Values Removed	Values Added
First Time		Mcgill Mcgill loris
References	~~() https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759 -~~	() https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759 - Patch, Vendor Advisory
CPE		cpe:2.3:a:mcgill:loris:::::::: cpe:2.3:a:mcgill:loris:28.0.0:::::::*

08 Apr 2026, 19:25

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-08 19:25

Updated : 2026-04-21 20:04

NVD link : CVE-2026-35446

Mitre link : CVE-2026-35446

CVE.ORG link : CVE-2026-35446

JSON object : View

Products Affected

mcgill

loris

CWE

CWE-552

Files or Directories Accessible to External Parties

{"id": "CVE-2026-35446", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.6, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.9}]}, "published": "2026-04-08T19:25:24.217", "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759", "tags": ["Patch", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-552"}]}], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "lastModified": "2026-04-21T20:04:43.860", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "54A016B3-10EE-475A-AE81-B2B651F4F3B0", "versionEndIncluding": "27.0.2", "versionStartIncluding": "24.0.0"}, {"criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}