CVE-2026-35446HIGH 8.6EPSS p13.6%

CVE-2026-35446CVE-2026-35446

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

Scoring

CVSS 3.18.6 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
EPSS0.23% probability of exploitation · percentile 13.6% · 2026-06-19T12:03:05Z
Published2026-04-08
Last modified2026-04-21

Underlying weaknesses· 1

CWE-552

References

  1. https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759

1

TypeTargetConfidenceTier
WeaknessFiles or Directories Accessible to External Partiescwe-5520%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26984
CVE
CVE-2025-2305
CVE
CVE-2025-65346
CVE
CVE-2026-28462
CVE
CVE-2026-50234
CVE
CVE-2018-25408
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.