CVE-2026-35446 HIGH

CVE-2026-35446: LORIS has a path traversal in FilesDownloadHandler

Vendor Aces

Product Loris

Weakness CWE-552 · Files accessible externally

Published April 8, 2026

Last update April 8, 2026

View on NVD All CVEs

CVSS base score

7.7/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality High

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 24.0.0 to before 27.0.3 and 28.0.1, an incorrect order of operations in the FilesDownloadHandler could result in an attacker escaping the intended download directories. This vulnerability is fixed in 27.0.3 and 28.0.1.

Key dates

02Disclosure timeline

April 8, 2026 CVE published

April 8, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-35446

Related vulnerabilities

Identifiers

CVE CVE-2026-35446

CWE CWE-552

CVSS 7.7 / HIGH

Affected versions

Vendor Aces

Product Loris

Affected >= 24.0.0, < 27.0.3

Vendor Aces

Product Loris

Affected >= 28.0.0, < 28.0.1

CVE-2026-35446: LORIS has a path traversal in FilesDownloadHandler

01Description

02Disclosure timeline

03References

04Related CVE