Cyber Posture

CVE-2026-33350

High

Published: 08 April 2026

Published
08 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0005 14.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-33350 is a high-severity SQL Injection (CWE-89) vulnerability in Mcgill Loris. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection exploitation by validating and sanitizing untrusted inputs to the MRI feedback popup window code sections in LORIS.

SI-2 Flaw Remediation good match
prevent

Requires timely patching of LORIS to fixed versions 27.0.3 or 28.0.1 to remediate the specific SQL injection vulnerability.

RA-5 Vulnerability Monitoring and Scanning partial match
detect

Facilitates identification of the SQL injection vulnerability through automated scanning of the self-hosted LORIS web application.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Unauthenticated SQL injection in a public-facing web application (LORIS imaging browser) directly enables remote exploitation for sensitive data access with no user interaction required.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

LORIS (Longitudinal Online Research and Imaging System) is a self-hosted web application that provides data- and project-management for neuroimaging research. Prior to 27.0.3 and 28.0.1, a SQL injection has been identified in some code sections for the MRI feedback popup…

more

window of the imaging browser. Attackers can use SQL ingestion to access/alter data on the server. This vulnerability is fixed in 27.0.3 and 28.0.1.

Deeper analysisAI

CVE-2026-33350 is a SQL injection vulnerability (CWE-89) in LORIS, a self-hosted web application used for data and project management in neuroimaging research. The flaw affects versions prior to 27.0.3 and 28.0.1, specifically in code sections handling the MRI feedback popup window of the imaging browser. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and was published on 2026-04-08T19:25:21.163.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Exploitation enables SQL injection to access sensitive data on the server and potentially alter it, resulting in high confidentiality impact but no integrity or availability disruption per the CVSS assessment.

The vulnerability is addressed in LORIS releases 27.0.3 and 28.0.1. Additional details on the issue and mitigation are available in the GitHub security advisory at https://github.com/aces/Loris/security/advisories/GHSA-9r29-6jgc-3ggh.

Details

CWE(s)
CWE-89

Affected Products

mcgill
loris
28.0.0 · ≤ 27.0.3

CVEs Like This One

CVE-2026-26984Same product: Mcgill Loris
CVE-2026-35446Same product: Mcgill Loris
CVE-2026-34392Same product: Mcgill Loris
CVE-2026-35169Same product: Mcgill Loris
CVE-2026-26985Same product: Mcgill Loris
CVE-2026-3180Shared CWE-89
CVE-2025-1872Shared CWE-89
CVE-2026-32458Shared CWE-89
CVE-2026-24494Shared CWE-89
CVE-2025-26875Shared CWE-89

References