cbcvebase.

Aces Loris vulnerabilities

11 known vulnerabilities affecting aces/loris.

Total CVEs
11
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH4MEDIUM7

Vulnerabilities

Page 1 of 1
CVE-2026-26984P2HIGHCVSS 8.8fixed in 26.0.5v>= 27.0.0, < 27.0.22026-02-25
CVE-2026-26984 [HIGH] CWE-22 CVE-2026-26984: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to upload a malicious file to an arbitrary location on th
nvd
CVE-2026-33350P3HIGHCVSS 7.5fixed in 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-33350 [HIGH] CWE-89 CVE-2026-33350: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter dat
nvd
CVE-2026-35446P3HIGHCVSS 8.6v>= 24.0.0, < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-35446 [HIGH] CWE-552 CVE-2026-35446: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability i
nvd
CVE-2026-34392P3HIGHCVSS 7.5v>= 20.0.0, < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-34392 [HIGH] CWE-552 CVE-2026-34392: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through t
nvd
CVE-2026-26985P3MEDIUMCVSS 6.5v>= 24.0.0, < 26.0.5v>= 27.0.0, < 27.0.22026-02-25
CVE-2026-26985 [MEDIUM] CWE-22 CVE-2026-26985: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with the appropriate authorization can read configuration files on the server by exploiting a
nvd
CVE-2026-34985P3MEDIUMCVSS 6.5v>= 16.1.0, < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-34985 [MEDIUM] CWE-639 CVE-2026-34985: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would b
nvd
CVE-2026-35165P3MEDIUMCVSS 6.5v>= 21.0.0, < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-35165 [MEDIUM] CWE-639 CVE-2026-35165: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the document_repository frontend was restricting file access, the backend endpoint was not correctly verifying access permissions. A user could t
nvd
CVE-2026-39985P4MEDIUMCVSS 6.1fixed in 27.0.3v>= 28.0.0, < 28.0.12026-04-09
CVE-2026-39985 [MEDIUM] CWE-601 CVE-2026-39985: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbi
nvd
CVE-2026-35169P4MEDIUMCVSS 5.4v>= , < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-35169 [MEDIUM] CWE-79 CVE-2026-35169: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the help_editor module of LORIS did not properly sanitize some user supplied variables which could result in a reflected cross-site scripting attack if a user
nvd
CVE-2026-35403P4MEDIUMCVSS 5.4v>= 15.10, < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-35403 [MEDIUM] CWE-79 CVE-2026-35403: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 15.10 to before 27.0.3 and 28.0.1, there is a potential for a cross-site scripting attack in the survey_accounts module if a user provides an invalid visit label. While the data is properl
nvd
CVE-2026-35400P4MEDIUMCVSS 4.3v>= 20.0.0, < 27.0.3v>= 28.0.0, < 28.0.12026-04-08
CVE-2026-35400 [MEDIUM] CWE-59 CVE-2026-35400: LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provid LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's POST request rather than the internal LORIS value. This
nvd
Aces Loris vulnerabilities | cvebase