CVE-2026-35446

HIGH

LORIS has a path traversal in FilesDownloadHandler

Title source: cna

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

References (1)

[X_Refsource_Confirm] https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759

Scores

CVSS v3 7.7

EPSS 0.0004

EPSS Percentile 10.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-552

Status published

Products (4)

aces/Loris >= 24.0.0, < 27.0.3

aces/Loris >= 28.0.0, < 28.0.1

mcgill/loris 28.0.0

mcgill/loris 24.0.0 - 27.0.2

Published Apr 08, 2026

Tracked Since Apr 09, 2026