cbcvebase.
CVE-2024-4078
published 2024-05-16

CVE-2024-4078: A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization…

PriorityP259critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
0.92%
55.7th percentile
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms>= 0 < 9.5.09.5.0
parisneoparisneo_lollms>= unspecified < mainmain
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.