{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33350", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-18T22:15:11.814Z", "datePublished": "2026-04-08T17:47:32.566Z", "dateUpdated": "2026-04-08T19:24:05.846Z"}, "containers": {"cna": {"title": "LORIS has a SQL injection in MRI feedback popup", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh"}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"version": "< 27.0.3", "status": "affected"}, {"version": ">= 28.0.0, < 28.0.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:47:32.566Z"}, "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "source": {"advisory": "GHSA-9r29-6jgc-3ggh", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T19:23:56.598329Z", "id": "CVE-2026-33350", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:24:05.846Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33350", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T19:23:56.598329Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T19:24:00.763Z"}}], "cna": {"title": "LORIS has a SQL injection in MRI feedback popup", "source": {"advisory": "GHSA-9r29-6jgc-3ggh", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "aces", "product": "Loris", "versions": [{"status": "affected", "version": "< 27.0.3"}, {"status": "affected", "version": ">= 28.0.0, < 28.0.1"}]}], "references": [{"url": "https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh", "name": "https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T17:47:32.566Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33350", "state": "PUBLISHED", "dateUpdated": "2026-04-08T19:24:05.846Z", "dateReserved": "2026-03-18T22:15:11.814Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-08T17:47:32.566Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:mcgill:loris:*:*:*:*:*:*:*:*", "matchCriteriaId": "F04A492D-D20B-4349-B01E-18EC44C8E400", "versionEndExcluding": "27.0.3", "vulnerable": true}, {"criteria": "cpe:2.3:a:mcgill:loris:28.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D358B66A-04AC-44F2-8EF6-4332D8AC00F4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1."}], "id": "CVE-2026-33350", "lastModified": "2026-04-17T15:50:43.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T19:25:21.163", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,27.0.3)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[28.0.0,28.0.1)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "Loris", "source": "cna", "vendor": "aces"}, "product": "loris", "vendor": "aces"}], "analysis": {"en": {"generated_at": "2026-04-08T19:54:01.635540+00:00", "value": {"mitigation_remediation": ["Upgrade LORIS to version 27.0.3 or newer, or 28.0.1 or newer, which contains the fix for the SQL injection.", "If an immediate upgrade is not possible, limit access to the MRI feedback feature and restrict untrusted users from interacting with the web application.", "After applying the fix, verify that the application no longer accepts raw SQL in the popup input and monitor logs for any suspicious query activity."], "summary": {"action": "Immediate Patch", "impact": "Data compromise"}, "threat_synthesis": {"affected_systems": "The flaw affects the LORIS application from the aces project for all releases prior to 27.0.3 and 28.0.1 \u2013 that is, LORIS versions 27.0.2 and earlier, and 28.0.0. These versions are still in use by some neuroimaging research groups.", "description_and_impact": "A vulnerability in the MRI feedback popup of the LORIS web application allows attackers to inject arbitrary SQL statements, enabling them to read or modify stored data. This flaw could lead to unauthorized disclosure of sensitive research information or destructive changes to the database, thereby violating confidentiality and integrity of the system.", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, yet the exploit probability score is not disclosed. The flaw can be triggered through the web interface by submitting crafted input to the MRI feedback popup, so the attack vector is remote over the network. No special conditions beyond access to the application are required, making the vulnerability relatively easy to exploit for users who can reach the LORIS server."}}}}, "created": "2026-04-08T19:55:21.218174+00:00", "updated": "2026-04-08T20:12:45.815661+00:00", "vendors": ["aces", "aces$PRODUCT$loris"]}