CVE-2026-35446 | THREATINT

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

PUBLISHED Reserved 2026-04-02 | Published 2026-04-08 | Updated 2026-04-08 | Assigner GitHub_M

HIGH: 7.7CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Problem types

CWE-552: Files or Directories Accessible to External Parties

Product status

>= 24.0.0, < 27.0.3

affected

>= 28.0.0, < 28.0.1

affected

References

github.com/.../Loris/security/advisories/GHSA-47jj-7xfg-8759

cve.org (CVE-2026-35446)

nvd.nist.gov (CVE-2026-35446)

Download JSON