cbcvebase.
CVE-2024-6982
published 2025-03-20

CVE-2024-6982: A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's…

PriorityP350high8.4CVSS 3.0
AVLACLPRNUINSUCHIHAH
EPSS
0.43%
34.8th percentile
A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.

Affected

2 ranges
VendorProductVersion rangeFixed in
lollmslollms>= 0 < 11.0.011.0.0
parisneoparisneo_lollms>= unspecified < 9.109.10
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.