{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34392", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.619Z", "datePublished": "2026-04-08T17:57:35.927Z", "dateUpdated": "2026-04-08T17:57:35.927Z"}, "containers": {"cna": {"title": "LORIS has a path traversal in static router", "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "lang": "en", "description": "CWE-552: Files or Directories Accessible to External Parties", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f"}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"version": ">= 20.0.0, < 27.0.3", "status": "affected"}, {"version": ">= 28.0.0, < 28.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:57:35.927Z"}, "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "source": {"advisory": "GHSA-rfj5-58hv-wc5f", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "id": "CVE-2026-34392", "lastModified": "2026-04-08T21:26:13.410", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:21.723", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[20.0.0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loris", "source": "cna", "vendor": "aces"}, "product": "loris", "vendor": "aces"}], "analysis": {"en": {"generated_at": "2026-04-08T19:52:55.925014+00:00", "value": {"mitigation_remediation": ["Apply the LORIS patch to at least version 27.0.3 or 28.0.1", "If immediate patching is not possible, disable the static, css, and js endpoints or restrict directory access in the web server configuration", "Review and sanitize file paths in the application if custom changes are present", "Monitor web server logs for path traversal attempts and block offending IPs"], "summary": {"action": "Patch Immediately", "impact": "Remote File Disclosure via Path Traversal"}, "threat_synthesis": {"affected_systems": "Affected products include the open\u2011source LORIS platform by aces. Versions from 20.0.0 up to, but not including, 27.0.3 and up to, but not including, 28.0.1 are vulnerable. The security fix was released in 27.0.3 and 28.0.1. Users running any earlier releases should verify their installed version before applying the fix.", "description_and_impact": "The vulnerability in LORIS's static file router permits an attacker to request files outside the intended directory. By manipulating the URL to the static, css, and js endpoints, the attacker can traverse the file system and download arbitrary files, exposing sensitive data. This issue is a classic path traversal flaw, identified as CWE\u2011552, and can lead to confidentiality breaches if the application serves privileged content.", "risk_and_exploitability": "The CVSS score of 7.5 indicates a high impact risk. Although the EPSS score is not available and the vulnerability does not appear in the KEV catalog, the ability to read any file from the server via a public HTTP endpoint suggests that the attack can be performed remotely without authentication. The exploit path is straightforward: crafting a URL that includes path traversal sequences which the router fails to sanitize. Due to the lack of authentication or rate limiting, the exploitation likelihood remains significant, especially in environments where LORIS is exposed to untrusted users."}}}}, "created": "2026-04-08T19:55:20.035272+00:00", "updated": "2026-04-08T20:12:43.457184+00:00", "vendors": ["aces", "aces$PRODUCT$loris"]}