105 matches found
CVE-2026-34985
LORIS (Longitudinal Online Research and Imaging System) has an access-control flaw in the media module: from 16.1.0 up to just before 27.0.3 and 28.0.1, the frontend filters access-restricted files but the backend did not enforce access checks, allowing unauthorized users to access a file if the ...
CVE-2026-34985 LORIS has incorrect access checks in media module
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the...
CVE-2026-34985 LORIS has incorrect access checks in media module
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the...
LORIS Neuroimaging Platform 安全漏洞
LORIS Neuroimaging Platform is a neuroimaging platform open sourced by ACElab. Versions of LORIS Neuroimaging Platform prior to 27.0.3 and 28.0.1 contained security vulnerabilities. These vulnerabilities stemmed from lack of access checks in the media module backend, which could allow unauthorize...
PT-2026-31425
Name of the Vulnerable Software and Affected Versions LORIS versions 16.1.0 through 27.0.2 and 28.0.0 Description The LORIS application, used for data and project management in neuroimaging research, had a flaw where backend access checks were missing for files. This allowed unauthorized access t...
CVE-2026-26984 LORIS media module vulnerable to remote code execution
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to...
CVE-2026-26984
CVE-2026-26984 affects the LORIS media module. An authenticated user with sufficient privileges can abuse a path traversal flaw to upload a malicious file to an arbitrary server location, enabling remote code execution (RCE). Vulnerable versions are before 26.0.5, 27.0.2, and 28.0.0; fixed in 26....
CVE-2026-26984 LORIS media module vulnerable to remote code execution
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to...
CVE-2026-26984 LORIS media module vulnerable to remote code execution
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to...
EUVD-2026-8746
LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to...
CVE-2025-67291
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
Cross-site Scripting (XSS)
Overview piranha is an a complete rewrite of Piranha CMS for .NET Core. Affected versions of this package are vulnerable to Cross-site Scripting XSS via the Name field in the Media module. An attacker can execute arbitrary web scripts or HTML by injecting crafted payloads. Details Cross-site...
GHSA-83FP-HH9M-C2JQ Piranha has stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
Piranha has stored cross-site scripting (XSS) vulnerability
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
CVE-2025-67291
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
CVE-2025-67291
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
CVE-2025-67291
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
CVE-2025-67291
CVE-2025-67291 affects Piranha CMS, Media module in version 12.1. The vulnerability is a stored XSS: an attacker can inject a crafted payload into the Name field, leading to execution of arbitrary web scripts/HTML in a user’s browser. Documents from multiple sources (NVD, Red Hat, OSV) confirm th...
CVE-2025-67291
A stored cross-site scripting XSS vulnerability in the Media module of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the Name field...
PT-2025-52685
Name of the Vulnerable Software and Affected Versions Piranha CMS version 12.1 Description A stored cross-site scripting XSS issue exists in the Media module. An attacker can inject a crafted payload into the Name field to execute arbitrary web scripts or HTML. Recommendations At the moment, ther...