Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.
Published: 2026-04-08
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Data compromise
Action: Immediate Patch
AI Analysis

Impact

A vulnerability in the MRI feedback popup of the LORIS web application allows attackers to inject arbitrary SQL statements, enabling them to read or modify stored data. This flaw could lead to unauthorized disclosure of sensitive research information or destructive changes to the database, thereby violating confidentiality and integrity of the system.

Affected Systems

The flaw affects the LORIS application from the aces project for all releases prior to 27.0.3 and 28.0.1 – that is, LORIS versions 27.0.2 and earlier, and 28.0.0. These versions are still in use by some neuroimaging research groups.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity, yet the exploit probability score is not disclosed. The flaw can be triggered through the web interface by submitting crafted input to the MRI feedback popup, so the attack vector is remote over the network. No special conditions beyond access to the application are required, making the vulnerability relatively easy to exploit for users who can reach the LORIS server.

Generated by OpenCVE AI on April 8, 2026 at 19:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LORIS to version 27.0.3 or newer, or 28.0.1 or newer, which contains the fix for the SQL injection.
  • If an immediate upgrade is not possible, limit access to the MRI feedback feature and restrict untrusted users from interacting with the web application.
  • After applying the fix, verify that the application no longer accepts raw SQL in the popup input and monitor logs for any suspicious query activity.

Generated by OpenCVE AI on April 8, 2026 at 19:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Aces
Aces loris
Vendors & Products Aces
Aces loris
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
Description LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.
Title LORIS has a SQL injection in MRI feedback popup
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Aces Loris
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T19:24:05.846Z

Reserved: 2026-03-18T22:15:11.814Z

Link: CVE-2026-33350

cve-icon Vulnrichment

Updated: 2026-04-08T19:24:00.763Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T19:25:21.163

Modified: 2026-04-08T21:26:13.410

Link: CVE-2026-33350

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T20:12:45Z

Weaknesses