CVE-2026-26984 - Vulnerability Analysis
HighCVSS: 8.7Last Updated: February 25, 2026
LORIS - Path Traversal & Remote Code Execution
Published: February 25, 2026Updated: February 25, 2026Remote Exploitable
Overview
LORIS < 26.0.5, < 27.0.2, < 28.0.0 contains a path traversal vulnerability caused by improper file upload handling in the media module, letting authenticated users with privileges upload malicious files and achieve remote code execution, exploit requires appropriate user permissions.
Severity & Score
Severity: High
CVSS Score: 8.7
Impact
Authenticated attackers with privileges can upload malicious files and execute code remotely, potentially compromising the server.
Mitigation
Upgrade to LORIS v26.0.5, v27.0.2, v28.0.0 or later; alternatively, disable the media module if unused.
References
Related Resources
Details
- CVE ID
- CVE-2026-26984
- Severity
- High
- CVSS Score
- 8.7
- Type
- path_traversal
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N