CVE-2026-34392 HIGH

CVE-2026-34392: LORIS has a path traversal in static router

Vendor Aces
Product Loris
Weakness CWE-552 · Files accessible externally
Published April 8, 2026
Last update April 9, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.

Key dates

02Disclosure timeline

April 8, 2026 CVE published
April 9, 2026 Record updated