CVE-2026-26985 - Vulnerability Analysis

Overview

LORIS 24.0.0 to before 26.0.5, 27.0.2, and 28.0.0 contains a path traversal caused by improper validation in electrophysiogy_browser module, letting authenticated users with permissions read configuration files containing hard-coded credentials.

Severity & Score

Impact

Authenticated attackers can read sensitive configuration files, potentially leading to credential compromise and unauthorized access to database or services.

Mitigation

Upgrade to version 26.0.5, 27.0.2, 28.0.0 or later. Alternatively, disable electrophysiogy_browser module as a workaround.

References

• https://github.com/aces/Loris/releases/tag/v26.0.5
• https://github.com/aces/Loris/releases/tag/v27.0.2
• https://github.com/aces/Loris/security/advisories/GHSA-g3pp-rqvq-xxhp

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Feb 26, 2026

🟠 CVE-2026-26985 - High (8.1) LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Starting in version 24.0.0 and prior to versions 26.0.5, 27.0.2, and 28.0.0, an authenti... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-26985/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

• Vulnerability Intelligence Dashboard
• Credential Scanner