CVE-2026-33350: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in aces Loris
CVE-2026-33350 is a high-severity SQL injection vulnerability in the aces LORIS web application, specifically affecting versions prior to 27. 0. 3 and between 28. 0. 0 and 28. 0. 1. The flaw exists in the MRI feedback popup window of the imaging browser, allowing attackers to inject SQL commands. Exploitation could lead to unauthorized access or alteration of data on the server. The vulnerability has been fixed in versions 27.
AI Analysis
Technical Summary
LORIS, a self-hosted web application for neuroimaging research data management, contained an SQL injection vulnerability (CWE-89) in the MRI feedback popup window code prior to versions 27.0.3 and 28.0.1. This vulnerability allows remote attackers to inject malicious SQL commands without requiring privileges or user interaction, potentially leading to unauthorized data access or modification. The issue is resolved in the fixed versions 27.0.3 and 28.0.1. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to access or alter sensitive data stored on the LORIS server. The impact is limited to confidentiality as per the CVSS vector; integrity and availability are not affected. This could compromise the privacy and integrity of neuroimaging research data managed by the application.
Mitigation Recommendations
This vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1. Users should upgrade to one of these versions or later to remediate the issue. Since this is a self-hosted application, patching is the primary mitigation. There is no vendor advisory indicating alternative mitigations or that no action is required.
CVE-2026-33350: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in aces Loris
Description
CVE-2026-33350 is a high-severity SQL injection vulnerability in the aces LORIS web application, specifically affecting versions prior to 27. 0. 3 and between 28. 0. 0 and 28. 0. 1. The flaw exists in the MRI feedback popup window of the imaging browser, allowing attackers to inject SQL commands. Exploitation could lead to unauthorized access or alteration of data on the server. The vulnerability has been fixed in versions 27.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LORIS, a self-hosted web application for neuroimaging research data management, contained an SQL injection vulnerability (CWE-89) in the MRI feedback popup window code prior to versions 27.0.3 and 28.0.1. This vulnerability allows remote attackers to inject malicious SQL commands without requiring privileges or user interaction, potentially leading to unauthorized data access or modification. The issue is resolved in the fixed versions 27.0.3 and 28.0.1. The CVSS 3.1 base score is 7.5, indicating high severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.
Potential Impact
Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to access or alter sensitive data stored on the LORIS server. The impact is limited to confidentiality as per the CVSS vector; integrity and availability are not affected. This could compromise the privacy and integrity of neuroimaging research data managed by the application.
Mitigation Recommendations
This vulnerability is fixed in LORIS versions 27.0.3 and 28.0.1. Users should upgrade to one of these versions or later to remediate the issue. Since this is a self-hosted application, patching is the primary mitigation. There is no vendor advisory indicating alternative mitigations or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-18T22:15:11.814Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d6b19c1cc7ad14daa7cc6f
Added to database: 4/8/2026, 7:50:52 PM
Last enriched: 4/8/2026, 8:05:57 PM
Last updated: 4/8/2026, 9:01:14 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.