CVE-2024-6982
published 2025-03-20CVE-2024-6982: A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's…
PriorityP350high8.4CVSS 3.0
AVLACLPRNUINSUCHIHAH
EPSS
0.43%
34.8th percentile
A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms | >= 0 < 11.0.0 | 11.0.0 |
| parisneo | parisneo_lollms | >= unspecified < 9.10 | 9.10 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
LoLLMS Code Injection vulnerability
ghsa·2025-03-20
CVE-2024-6982 [HIGH] CWE-94 LoLLMS Code Injection vulnerability
LoLLMS Code Injection vulnerability
A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.
OSV
LoLLMS Code Injection vulnerability
osv·2025-03-20
CVE-2024-6982 [HIGH] LoLLMS Code Injection vulnerability
LoLLMS Code Injection vulnerability
A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-03-20
Published