CVE-2026-35446

Source
https://cve.org/CVERecord?id=CVE-2026-35446
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35446.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35446
Aliases
  • GHSA-47jj-7xfg-8759
Published
2026-04-08T18:28:30.405Z
Modified
2026-07-08T08:12:58.923176141Z
Severity
  • 7.7 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N CVSS Calculator
Summary
LORIS has a path traversal in FilesDownloadHandler
Details

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35446.json",
    "cwe_ids": [
        "CWE-552"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/aces/loris

Affected ranges

Type
GIT
Repo
https://github.com/aces/loris
Events
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "24.0.0"
        },
        {
            "fixed": "27.0.3"
        },
        {
            "introduced": "28.0.0"
        },
        {
            "fixed": "28.0.1"
        }
    ]
}

Affected versions

28.*
28.0.0
v28.*
v28.0.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35446.json"