Directory Traversal Vulnerability in LORIS by Aces
CVE-2026-34392

7.5HIGH

Key Information:

Vendor: Aces
Status: Loris
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-34392?

The LORIS (Longitudinal Online Research and Imaging System) web application, essential for data and project management in neuroimaging research, features a directory traversal vulnerability. This flaw exists in versions 20.0.0 through prior to 27.0.3 and in 28.0.0, where incorrect handling in the static file router allows unauthorized access to files outside the designated directories. Attackers can exploit this issue to download unintended files through the static, css, and js endpoints, potentially jeopardizing sensitive data. This vulnerability has been addressed in the releases 27.0.3 and 28.0.1.

Affected Version(s)

Loris >= 20.0.0, < 27.0.3 < 20.0.0, 27.0.3

Loris >= 28.0.0, < 28.0.1 < 28.0.0, 28.0.1

References

https://github.com/aces/Loris/security/advisories/GHSA-rf...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34392 Data

JSON