Lollms Web Ui vulnerabilities
40 known vulnerabilities affecting lollms/lollms_web_ui.
Total CVEs
40
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL13HIGH18MEDIUM8LOW1
Vulnerabilities
Page 1 of 2
CVE-2024-6250P1HIGHCVSS 7.5ExploitedPoCv9.62024-06-27
CVE-2024-6250 [HIGH] CWE-36 CVE-2024-6250: An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitr
nvd
CVE-2024-4322P2HIGHCVSS 7.5PoCfixed in 9.82024-05-16
CVE-2024-4322 [HIGH] CWE-29 CVE-2024-4322: A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improp
nvd
CVE-2024-1520P1CRITICALCVSS 9.8≥ 9.0, < 9.22024-04-10
CVE-2024-1520 [CRITICAL] CWE-78 CVE-2024-1520: An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lol
An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution on the underlying operatin
nvd
CVE-2024-1600P2CRITICALCVSS 9.3≥ 9.0, < 9.62024-04-10
CVE-2024-1600 [CRITICAL] CWE-98 CVE-2024-1600: A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specific
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attack
nvd
CVE-2024-2359P2CRITICALCVSS 9.8v9.32024-06-06
CVE-2024-2359 [CRITICAL] CWE-78 CVE-2024-2359: A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, wh
nvd
CVE-2024-2358P2CRITICALCVSS 9.8fixed in 9.52024-05-16
CVE-2024-2358 [CRITICAL] CWE-29 CVE-2024-2358: A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows att
A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter. Attackers can exploit this by crafting a payload that incl
nvd
CVE-2024-1511P2CRITICALCVSS 9.8v9.02024-04-10
CVE-2024-1511 [CRITICAL] CWE-22 CVE-2024-1511: The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequ
The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various endpoints. The vulnerability can be exploited even when t
nvd
CVE-2024-4326P2CRITICALCVSS 9.8fixed in 9.52024-05-16
CVE-2024-4326 [CRITICAL] CWE-15 CVE-2024-4326: A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbit
A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through th
nvd
CVE-2024-2624P2CRITICALCVSS 9.8fixed in 9.42024-06-06
CVE-2024-2624 [CRITICAL] CWE-29 CVE-2024-2624: A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui applica
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due to insufficient sanitization of user-supplied input for the `path` parame
nvd
CVE-2024-9920P2HIGHCVSS 8.8v122025-03-20
CVE-2024-9920 [HIGH] CWE-434 CVE-2024-9920: In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with
In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from
nvd
CVE-2024-3322P3CRITICALCVSS 9.8fixed in 9.52024-06-06
CVE-2024-3322 [CRITICAL] CWE-22 CVE-2024-3322: A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the pa
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function within 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scrip
nvd
CVE-2024-8898P3CRITICALCVSS 9.8v122025-03-20
CVE-2024-8898 [CRITICAL] CWE-22 CVE-2024-8898: A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lol
A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of user-supplied input, which can be exploited to traverse dir
nvd
CVE-2024-2361P3CRITICALCVSS 9.6fixed in 9.52024-05-16
CVE-2024-2361 [CRITICAL] CWE-29 CVE-2024-2361: A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insuff
A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to a
nvd
CVE-2024-2362P3CRITICALCVSS 9.1v9.32024-06-06
CVE-2024-2362 [CRITICAL] CWE-36 CVE-2024-2362: A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platfo
A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del
nvd
CVE-2024-2366P3CRITICALCVSS 9.0fixed in 9.52024-05-16
CVE-2024-2366 [CRITICAL] CWE-77 CVE-2024-2366: A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate t
nvd
CVE-2024-8581P3CRITICALCVSS 9.1v122025-03-20
CVE-2024-8581 [CRITICAL] CWE-22 CVE-2024-8581: A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an att
A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error.
nvd
CVE-2024-3126P3HIGHCVSS 8.4fixed in 9.52024-05-16
CVE-2024-3126 [HIGH] CWE-78 CVE-2024-3126: A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollm
A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed
nvd
CVE-2024-9919P3HIGHCVSS 8.4v132025-03-20
CVE-2024-9919 [HIGH] CWE-306 CVE-2024-9919: A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attacke
A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.
nvd
CVE-2024-2548P3HIGHCVSS 7.5fixed in 9.52024-06-06
CVE-2024-2548 [HIGH] CWE-36 CVE-2024-2548: A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and Linux environments using `Path(path).is_absolute()`, attackers can exploit th
nvd
CVE-2024-1522P3HIGHCVSS 8.8≥ 9.0, ≤ 9.22024-03-30
CVE-2024-1522 [HIGH] CWE-352 CVE-2024-1522: A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits
nvd
1 / 2Next →