CVE-2026-26984 - Vulnerability Analysis

Overview

LORIS < 26.0.5, < 27.0.2, < 28.0.0 contains a path traversal vulnerability caused by improper file upload handling in the media module, letting authenticated users with privileges upload malicious files and achieve remote code execution, exploit requires appropriate user permissions.

Severity & Score

Impact

Authenticated attackers with privileges can upload malicious files and execute code remotely, potentially compromising the server.

Mitigation

Upgrade to LORIS v26.0.5, v27.0.2, v28.0.0 or later; alternatively, disable the media module if unused.

References

• https://github.com/aces/Loris/releases/tag/v26.0.5
• https://github.com/aces/Loris/releases/tag/v27.0.2
• https://github.com/aces/Loris/security/advisories/GHSA-mpgc-c48m-6v2h

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-26984 - High (8.7) LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenticated user with sufficient priv... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26984/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner