{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39985", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-08T00:01:47.628Z", "datePublished": "2026-04-09T17:08:49.668Z", "dateUpdated": "2026-04-09T17:08:49.668Z"}, "containers": {"cna": {"title": "LORIS has an open redirect field on login", "problemTypes": [{"descriptions": [{"cweId": "CWE-601", "lang": "en", "description": "CWE-601: URL Redirection to Untrusted Site ('Open Redirect')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aces/Loris/security/advisories/GHSA-rch2-f5fw-cg95", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-rch2-f5fw-cg95"}, {"name": "https://github.com/aces/Loris/commit/f57f54b42a076bf53ba86e20d4dbf37f63538f58", "tags": ["x_refsource_MISC"], "url": "https://github.com/aces/Loris/commit/f57f54b42a076bf53ba86e20d4dbf37f63538f58"}, {"name": "https://github.com/aces/Loris/releases/tag/v27.0.3", "tags": ["x_refsource_MISC"], "url": "https://github.com/aces/Loris/releases/tag/v27.0.3"}, {"name": "https://github.com/aces/Loris/releases/tag/v28.0.1", "tags": ["x_refsource_MISC"], "url": "https://github.com/aces/Loris/releases/tag/v28.0.1"}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"version": "< 27.0.3", "status": "affected"}, {"version": ">= 28.0.0, < 28.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T17:08:49.668Z"}, "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "source": {"advisory": "GHSA-rch2-f5fw-cg95", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, the redirect parameter upon login to LORIS was not validating the value of the redirect as being within LORIS, which could be used to trick users into visiting arbitrary URLs if they are given a link with a third party redirect parameter. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "id": "CVE-2026-39985", "lastModified": "2026-04-09T18:17:02.653", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T18:17:02.653", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/aces/Loris/commit/f57f54b42a076bf53ba86e20d4dbf37f63538f58"}, {"source": "security-advisories@github.com", "url": "https://github.com/aces/Loris/releases/tag/v27.0.3"}, {"source": "security-advisories@github.com", "url": "https://github.com/aces/Loris/releases/tag/v28.0.1"}, {"source": "security-advisories@github.com", "url": "https://github.com/aces/Loris/security/advisories/GHSA-rch2-f5fw-cg95"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-601"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loris", "source": "cna", "vendor": "aces"}, "product": "loris", "vendor": "aces"}], "analysis": {"en": {"generated_at": "2026-04-09T18:21:03.808478+00:00", "value": {"mitigation_remediation": ["Upgrade LORIS to version 27.0.3 or later", "Upgrade LORIS to version 28.0.1 or later", "If upgrades are not immediately possible, remove or encode the redirect parameter in login URLs to prevent arbitrary redirection", "Monitor application logs for unexpected redirect attempts and block suspicious traffic"], "summary": {"action": "Update", "impact": "Open Redirect"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the LORIS web application owned by aces. Versions earlier than 27.0.3 and 28.0.1 are impacted; the issue was fixed in those releases.", "description_and_impact": "A flaw in the login process of LORIS allows the redirect parameter to be set to any URL without verification, enabling an attacker to redirect users to malicious sites. This can lead to phishing or credential harvesting but does not directly grant code execution or data exfiltration. The weakness corresponds to an open redirect vulnerability (CWE-601).", "risk_and_exploitability": "The CVSS base score is 4.3, indicating moderate impact. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector is likely web-based, requiring an attacker to supply a crafted login URL with a redirect parameter targeting the victim's browser."}}}}, "created": "2026-04-10T08:52:48.921904+00:00", "updated": "2026-04-10T09:32:00.164511+00:00", "vendors": ["aces", "aces$PRODUCT$loris"]}