CVE-2026-34985

EPSS 0.03%
Veröffentlicht 08.04.2026 18:22:09
Zuletzt bearbeitet 21.04.2026 20:20:00
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 16.1.0 to before 27.0.3 and 28.0.1, While the frontend of the media module filters files that the user should not have access to, the backend was not applying access checks and it would be possible for someone who should not have access to a file to access it if they know the filename. This vulnerability is fixed in 27.0.3 and 28.0.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mcgill ≫ Loris Version >= 16.1.0 <= 27.0.2

Mcgill ≫ Loris Version28.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.099

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.3	2.8	3.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://github.com/aces/Loris/security/advisories/GHSA-p42c-4gmq-hrjw

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-34985

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34985

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34985

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34985