CVE-2024-2359OS Command Injection in Lollms-webui

CWE-78OS Command Injection4 documents3 sources
Severity
9.8CRITICALNVD
EPSS
0.3%
top 50.32%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo Lollms-webuiLollms WEB UI
Timeline
PublishedJun 6
Latest updateFeb 15

Description

A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, which lacks proper access control, to modify the `host` configuration at runtime. By changing the `host` setting to an attacker-controlled value, the

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollms-webuiunspecifiedlatest

🔴Vulnerability Details

1
GHSA
GHSA-jhmr-hfhr-vhq6: A vulnerability in the parisneo/lollms-webui version 92024-06-06

📄Research Papers

2
arXiv
Red-MIRROR: Agentic LLM-based Autonomous Penetration Testing with Reflective Verification and Knowledge-augmented Interaction2026-03
arXiv
AXE: An Agentic eXploit Engine for Confirming Zero-Day Vulnerability Reports2026-02-15