CVE-2026-26984

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-26984
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26984.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-26984
Aliases
  • GHSA-mpgc-c48m-6v2h
Published
2026-02-25T21:15:54.790Z
Modified
2026-03-03T02:56:17.023533Z
Severity
  • 8.7 (High) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N CVSS Calculator
Summary
LORIS media module vulnerable to remote code execution
Details

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient privileges can exploit a path traversal vulnerability to upload a malicious file to an arbitrary location on the server. Once uploaded, the file can be used to achieve remote code execution (RCE). An attacker must be authenticated and have the appropriate permissions to exploit this issue. If the server is configured as read-only, remote code execution (RCE) is not possible; however, the malicious file upload may still be achievable. This problem is fixed in LORIS v26.0.5 and above, v27.0.2 and above, and v28.0.0 and above. As a workaround, LORIS administrators can disable the media module if it is not being used.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/26xxx/CVE-2026-26984.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-22",
        "CWE-434"
    ]
}
References

Affected packages

Git / github.com/aces/loris

Affected ranges

Type
GIT
Repo
https://github.com/aces/loris
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9dfd069b099dc7475718f96d4ab4d0d854596ecd
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "26.0.5"
        }
    ]
}
Type
GIT
Repo
https://github.com/aces/loris
Events
Introduced
3842feeb3e5da830e79b210f37c0eec812b29910
Fixed
409b3efd8b4f41d940860df4fd69a90485923e78
Database specific 
{
    "versions": [
        {
            "introduced": "27.0.0"
        },
        {
            "fixed": "27.0.2"
        }
    ]
}

Affected versions

16.*
16.0-rc3
16.0.0
Other
DOI
GitHubRelease-201312111
PublicRelease2
loris-14.*
loris-14.10
loris-14.12
v15.*
v15.10
v15.10-rc1
v15.10-rc2
v15.10-rc3
v15.10-rc4
v15.10-rc5
v15.10.1
v15.4
v15.4k
v16.*
v16.0-rc1
v16.0-rc2
v16.0.1
v16.0.2
v16.1-rc1
v16.1.0
v16.1.1
v16.1.2
v16.1.3
v17.*
v17.0.0
v17.0.0-rc1
v17.0.1
v17.0.2
v17.0.3
v17.0.4
v17.0.5
v18.*
v18.0.0
v18.0.0-rc1
v18.0.0-rc2
v18.0.0-rc3
v18.0.0a
v18.0.1
v18.0.2
v18.0.3
v18.0.4
v18.0.5
v19.*
v19.0.0
v19.0.0-rc1
v19.0.1
v19.0.2
v19.1.0
v19.1.1
v19.1.2
v20.*
v20.0.1
v20.0.2
v20.1.0
v20.1.1
v20.1.2
v20.2.0
v20.2.1
v20.3.0
v20.3.1
v21.*
v21.0.0
v21.0.0-rc1
v21.0.1
v21.0.2
v21.0.3
v21.0.4
v21.0.5
v21.0.6
v21.0.7
v22.*
v22.0.0
v22.0.1
v22.0.2
v22.0.3
v22.0.4
v23.*
v23.0.0
v23.0.1
v23.0.10
v23.0.11
v23.0.12
v23.0.2
v23.0.3
v23.0.4
v23.0.5
v23.0.6
v23.0.7
v23.0.8
v23.0.9
v24.*
v24.0.0
v24.0.1
v24.0.2
v24.0.3
v24.1.0
v24.1.1
v24.1.2
v24.1.3
v24.1.4
v24.1.5
v24.1.6
v24.1.7
v25.*
v25.0.0
v25.0.1
v25.0.2
v26.*
v26.0.0
v26.0.1
v26.0.2
v26.0.3
v26.0.4
v26.0.5
v27.*
v27.0.0
v27.0.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-26984.json"