6.1

CVE-2026-39985

EPSS 0.03%
Veröffentlicht 09.04.2026 18:17:02
Zuletzt bearbeitet 22.04.2026 00:24:34
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 7

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Mcgill ≫ Loris Version < 27.0.3

Mcgill ≫ Loris Version28.0.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.03%	0.085

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.1	2.8	2.7	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
security-advisories@github.com	4.3	2.8	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.

https://github.com/aces/Loris/commit/f57f54b42a076bf53ba86e20d4dbf37f63538f58

Patch

https://github.com/aces/Loris/releases/tag/v27.0.3

Release Notes

https://github.com/aces/Loris/releases/tag/v28.0.1

Release Notes

https://github.com/aces/Loris/security/advisories/GHSA-rch2-f5fw-cg95

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-39985

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-39985

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-39985

EUVD