cbcvebase.
CVE-2024-2366
published 2024-05-16

CVE-2024-2366: A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in…

PriorityP355critical9CVSS 3.0
AVNACLPRLUIRSCCHIHAH
EPSS
0.66%
47.0th percentile
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms_web_ui< 9.59.5
parisneoparisneo_lollms-webuiunspecified – latest
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.