CVE-2026-26984
Path Traversal in LORIS Media Module Enables Remote Code Execution
Publication date: 2026-02-25
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mcgill | loris | to 26.0.5 (exc) |
| mcgill | loris | From 27.0.0 (inc) to 27.0.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade LORIS to version 26.0.5 or above, 27.0.2 or above, or 28.0.0 or above, where the issue is fixed.
As a workaround, if upgrading is not immediately possible, LORIS administrators can disable the media module if it is not being used.
Additionally, configuring the server as read-only can prevent remote code execution, although malicious file upload may still be possible.
Can you explain this vulnerability to me?
This vulnerability exists in LORIS, a web application used for managing neuroimaging research data. It is a path traversal vulnerability that allows an authenticated user with sufficient privileges to upload a malicious file to an arbitrary location on the server.
Once the malicious file is uploaded, it can be used to execute remote code on the server, potentially allowing the attacker to take control of the system.
Exploitation requires the attacker to be authenticated and have the appropriate permissions. If the server is configured as read-only, remote code execution is not possible, but the malicious file upload may still occur.
The issue is fixed in LORIS versions 26.0.5 and above, 27.0.2 and above, and 28.0.0 and above. As a temporary workaround, administrators can disable the media module if it is not in use.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized remote code execution on the server hosting LORIS.
An attacker who successfully exploits this vulnerability could upload malicious files and execute arbitrary code, potentially leading to full system compromise.
This could result in data breaches, loss of data integrity, disruption of services, and unauthorized access to sensitive neuroimaging research data.
If the server is configured as read-only, remote code execution is prevented, but the attacker may still upload malicious files, which could be leveraged in other attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know