CVE-2026-26985 - Vulnerability Analysis
HighCVSS: 8.1Last Updated: February 25, 2026
LORIS - Path Traversal
Published: February 25, 2026Updated: February 25, 2026Remote Exploitable
Overview
LORIS 24.0.0 to before 26.0.5, 27.0.2, and 28.0.0 contains a path traversal caused by improper validation in electrophysiogy_browser module, letting authenticated users with permissions read configuration files containing hard-coded credentials.
Severity & Score
Severity: High
CVSS Score: 8.1
Impact
Authenticated attackers can read sensitive configuration files, potentially leading to credential compromise and unauthorized access to database or services.
Mitigation
Upgrade to version 26.0.5, 27.0.2, 28.0.0 or later. Alternatively, disable electrophysiogy_browser module as a workaround.
References
Related Resources
Details
- CVE ID
- CVE-2026-26985
- Severity
- High
- CVSS Score
- 8.1
- Type
- path_traversal
- Status
- new
CWE
- CWE-22
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N