Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to upload a malicious file to an arbitrary location on the server. Once uploaded, the file can be used to achieve remote code execution (RCE). An attacker must be authenticated and have the appropriate permissions to exploit this issue. If the server is configured as read-only, remote code execution (RCE) is not possible; however, the malicious file upload may still be achievable. This problem is fixed in LORIS v26.0.5 and above, v27.0.2 and above, and v28.0.0 and above. As a workaround, LORIS administrators can disable the media module if it is not being used.
Published: 2026-02-25
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability originates from a path‑traversal flaw in LORIS's media module that allows an authenticated user with sufficient privileges to upload a file to any directory on the server. Because the application does not sanitize the supplied path, a malicious file can be placed on the filesystem and later executed, providing remote code execution on the host. The flaw also permits unrestricted file uploads, which can be abused even if the server is set to read‑only, although RCE would be blocked in that scenario.

Affected Systems

McGill's LORIS, a self‑hosted web platform for neuroimaging research, is affected. Versions older than 26.0.5, 27.0.2, and 28.0.0 contain the flaw. The application relies on the media module to manage project files, so any deployment of these versions that enables the module is vulnerable unless the module has been disabled or the system is run in read‑only mode.

Risk and Exploitability

The CVSS base score of 8.8 indicates high severity, while the EPSS score below 1% suggests a low probability of exploitation at present. Nevertheless, the attack requires only authentication and appropriate upload rights, which are normally granted to project administrators. An attacker who gains such access can leverage the flaw to run code, compromise data integrity, and potentially pivot to other systems. The issue is not listed in the CISA KEV catalog, but the combination of authenticated access and unrestricted file placement makes it a serious risk for any LORIS installation that has the media module enabled.

Generated by OpenCVE AI on April 17, 2026 at 14:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LORIS to version 26.0.5 or later, 27.0.2 or later, or 28.0.0 or later, whichever applies to your installation.
  • If an upgrade cannot be performed immediately, disable the media module in the LORIS configuration or uninstall it completely.
  • Reduce permissions for users, ensuring that only trusted administrators have the ability to upload files, and consider setting the application to read‑only mode if file uploads are unnecessary.

Generated by OpenCVE AI on April 17, 2026 at 14:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Mcgill
Mcgill loris
CPEs cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*
Vendors & Products Mcgill
Mcgill loris
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris

Wed, 25 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 25 Feb 2026 21:30:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to upload a malicious file to an arbitrary location on the server. Once uploaded, the file can be used to achieve remote code execution (RCE). An attacker must be authenticated and have the appropriate permissions to exploit this issue. If the server is configured as read-only, remote code execution (RCE) is not possible; however, the malicious file upload may still be achievable. This problem is fixed in LORIS v26.0.5 and above, v27.0.2 and above, and v28.0.0 and above. As a workaround, LORIS administrators can disable the media module if it is not being used.
Title LORIS media module vulnerable to remote code execution
Weaknesses CWE-22
CWE-434
References
Metrics cvssV3_0

{'score': 8.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N'}

Subscriptions

Aces Loris
Mcgill Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T21:42:13.721Z

Reserved: 2026-02-17T01:41:24.605Z

Link: CVE-2026-26984

cve-icon Vulnrichment

Updated: 2026-02-25T21:42:10.145Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-25T22:16:24.173

Modified: 2026-03-05T17:41:15.220

Link: CVE-2026-26984

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T15:00:11Z

Weaknesses