CVE-2024-2356 — Path Traversal: '\..\filename' in Lollms-webui

CWE-29 — Path Traversal: '\..\filename'2 documents2 sources

Severity

9.6CRITICALNVD

EPSS

0.1%

top 74.45%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Parisneo Lollms-webui

Timeline

PublishedFeb 2

Description

A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.…

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages1 packages

▶CVEListV5parisneo/parisneo_lollms-webuiunspecified — v9.5

🔴Vulnerability Details

GHSA

GHSA-v7vr-xfpj-4f3m: A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within↗2026-02-02

▶