{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35446", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-02T19:25:52.192Z", "datePublished": "2026-04-08T18:28:30.405Z", "dateUpdated": "2026-04-08T20:13:54.835Z"}, "containers": {"cna": {"title": "LORIS has a path traversal in FilesDownloadHandler", "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759"}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"version": ">= 24.0.0, < 27.0.3", "status": "affected"}, {"version": ">= 28.0.0, < 28.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:28:30.405Z"}, "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "source": {"advisory": "GHSA-47jj-7xfg-8759", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T20:13:39.534396Z", "id": "CVE-2026-35446", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T20:13:54.835Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35446", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T20:13:39.534396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T20:13:49.952Z"}}], "cna": {"title": "LORIS has a path traversal in FilesDownloadHandler", "source": {"advisory": "GHSA-47jj-7xfg-8759", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"status": "affected", "version": ">= 24.0.0, < 27.0.3"}, {"status": "affected", "version": ">= 28.0.0, < 28.0.1"}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759", "name": "https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-552", "description": "CWE-552: Files or Directories Accessible to External Parties"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T18:28:30.405Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35446", "state": "PUBLISHED", "dateUpdated": "2026-04-08T20:13:54.835Z", "dateReserved": "2026-04-02T19:25:52.192Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T18:28:30.405Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "matchCriteriaId": "54A016B3-10EE-475A-AE81-B2B651F4F3B0", "versionEndIncluding": "27.0.2", "versionStartIncluding": "24.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "id": "CVE-2026-35446", "lastModified": "2026-04-21T20:04:43.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-08T19:25:24.217", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-47jj-7xfg-8759"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[24.0.0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loris", "source": "cna", "vendor": "aces"}, "product": "loris", "vendor": "aces"}], "analysis": {"en": {"generated_at": "2026-04-08T20:36:06.621906+00:00", "value": {"mitigation_remediation": ["Upgrade Loris to version 27.0.3 or later, which contains the patch for the FilesDownloadHandler.", "If an upgrade is not immediately possible, restrict file download functionality by configuring the web server to serve only the intended download directories and deny traversal patterns; alternatively, disable the download endpoint until a patch can be applied.", "Add application\u2011level validation to reject requests containing directory traversal characters such as \"..\" or absolute paths.", "Deploy a web application firewall rule to block path traversal patterns and reduce the attack surface."], "summary": {"action": "Immediate Patch", "impact": "File Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability affects LORIS 24.0.0, all releases up to before 27.0.3, and 28.0.1. These are self\u2011hosted instances used for neuroimaging research that provide data and project management. All affected installations may allow unauthorized file download unless upgraded to the patched versions.", "description_and_impact": "LORIS\u2019s FilesDownloadHandler processes download requests with an incorrect order of operations, allowing attackers to escape the intended download directories via crafted URLs. The result is the ability to download arbitrary files stored on the web server, potentially exposing sensitive project data, configuration files, or user credentials to any attacker who can access the application. This flaw falls under CWE\u2011552 and carries a CVSS score of 7.7, indicating high severity and a significant threat to confidentiality.", "risk_and_exploitability": "With a CVSS score of 7.7 the risk is high, and because the flaw is exploitable by sending a specially crafted request from any network segment that can reach the application, the attack vector is inferred to be remote over HTTP. No EPSS information is available, but the lack of authentication requirements and the straightforward request pattern suggest a high likelihood of exploitation in exposed environments. The vulnerability is not listed in the CISA KEV catalog, but its potential impact justifies immediate attention."}}}}, "created": "2026-04-09T08:18:24.038869+00:00", "updated": "2026-04-09T08:27:46.484894+00:00", "vendors": ["aces", "aces$PRODUCT$loris"]}