CVE-2026-33350
Received Received - Intake
SQL Injection in LORIS MRI Feedback Popup Risks Data Exposure

Publication date: 2026-04-08

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-08
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33350
EUVD
EUVD-2026-20552
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mcgill loris 28.0.0
mcgill loris to 27.0.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in LORIS allows attackers to gain unauthorized access to server-side data, resulting in a high confidentiality breach.

Such unauthorized data access can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect sensitive personal and health information.

Therefore, if exploited, this vulnerability could compromise compliance with these standards by exposing sensitive neuroimaging research data.

Executive Summary

CVE-2026-33350 is a high-severity SQL injection vulnerability affecting the MRI feedback popup window in the imaging browser of the LORIS software. It occurs because user input is not properly sanitized before being included in SQL queries, allowing attackers to inject malicious SQL code remotely without any privileges or user interaction.

This flaw enables attackers to access or alter data on the server by exploiting the improper neutralization of special elements in SQL commands.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive data stored on the server, resulting in a high confidentiality breach.

Although it does not affect data integrity or availability, attackers can retrieve or manipulate data without permission, which could compromise the privacy of neuroimaging research data managed by LORIS.

Mitigation Strategies

To mitigate this SQL injection vulnerability in LORIS, you should immediately upgrade the software to a patched version.

  • Upgrade to version 27.0.3 or later if you are using the 27.x branch.
  • Upgrade to version 28.0.1 or later if you are using the 28.x branch.

These versions contain fixes that properly neutralize special elements in SQL commands, preventing SQL injection attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33350. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart