CVE-2026-35165

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the documentrepository frontend was restricting file access, the backend endpoint was not...

CVE-2026-39985

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

CVE-2026-39985

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

EUVD-2026-20978

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

CVE-2026-39985

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

CVE-2026-39985 LORIS has an open redirect field on login

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS,...

CVE-2026-35446

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping t...

CVE-2026-34985

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the...

EUVD-2026-20580

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping t...

CVE-2026-35400

LORIS (Longitudinal Online Research and Imaging System) is affected from 20.0.0 up to but not including 27.0.3 and 28.0.1 by a publication module flaw that trusts the baseURL submitted via a user’s POST request instead of the internal LORIS value. This could allow an attacker with publication-mod...

EUVD-2026-20576

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, an endpoint in the publication module was incorrectly trusting the baseURL submitted by a user's PO...

EUVD-2026-20574

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From to before 27.0.3 and 28.0.1, the helpeditor module of LORIS did not properly sanitize some user supplied variables which could result i...

EUVD-2026-20572

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 21.0.0 to before 27.0.3 and 28.0.1, while the documentrepository frontend was restricting file access, the backend endpoint was not...

CVE-2026-34985

LORIS (Longitudinal Online Research and Imaging System) has an access-control flaw in the media module: from 16.1.0 up to just before 27.0.3 and 28.0.1, the frontend filters access-restricted files but the backend did not enforce access checks, allowing unauthorized users to access a file if the ...

EUVD-2026-20570

LORIS Longitudinal Online Research and Imaging System is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the...

CVE-2026-33350

Product: LORIS (Longitudinal Online Research and Imaging System). Issue: SQL injection in the MRI feedback popup window of the imaging browser. Root cause: Vulnerable code sections allowed SQL ingestion prior to certain releases. Versions affected: before 27.0.3 and 28.0.1. Impact: Attackers coul...

PT-2026-31414

Name of the Vulnerable Software and Affected Versions LORIS versions 20.0.0 through 27.0.2 and 28.0.0 Description A flaw exists in the static file router of LORIS, a web application for neuroimaging research data management. This issue allows an attacker to access files outside the intended...

PT-2026-31425

Name of the Vulnerable Software and Affected Versions LORIS versions 16.1.0 through 27.0.2 and 28.0.0 Description The LORIS application, used for data and project management in neuroimaging research, had a flaw where backend access checks were missing for files. This allowed unauthorized access t...

LORIS Neuroimaging Platform 安全漏洞

LORIS Neuroimaging Platform is a neuroimaging platform open source developed by ACElab. Versions of LORIS Neuroimaging Platform from 21.0.0 to 27.0.3, as well as versions before 28.0.1, have security vulnerabilities. These vulnerabilities stem from the backend endpoints not properly verifying...

LORIS Neuroimaging Platform 后置链接漏洞

LORIS Neuroimaging Platform is a neuroimaging platform open sourced by ACElab. Versions of LORIS Neuroimaging Platform from 20.0.0 to 27.0.3, as well as versions before 28.0.1, had a postback link vulnerability. This vulnerability stemmed from an error in the endpoint of the publication module,...