cbcvebase.

Lollms Web Ui vulnerabilities

40 known vulnerabilities affecting lollms/lollms_web_ui.

Total CVEs
40
CISA KEV
0
Public exploits
2
Exploited in wild
1
Severity breakdown
CRITICAL13HIGH18MEDIUM8LOW1

Vulnerabilities

Page 2 of 2
CVE-2024-12766P3HIGHCVSS 7.5v132025-03-20
CVE-2024-12766 [HIGH] CWE-918 CVE-2024-12766: parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulner parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter `{"url":"http://steal.target"}`. Existing security mechani
nvd
CVE-2024-3435P3HIGHCVSS 8.4fixed in 9.52024-05-16
CVE-2024-3435 [HIGH] CWE-29 CVE-2024-3435: A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui a A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker to manipulate the application's configuration by
nvd
CVE-2024-2178P3HIGHCVSS 7.5fixed in 9.42024-06-02
CVE-2024-2178 [HIGH] CWE-29 CVE-2024-2178: A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Copy to custom personas folder for editing' process. By ins
nvd
CVE-2024-6040P3HIGHCVSS 8.8v9.82024-08-01
CVE-2024-6040 [HIGH] CWE-352 CVE-2024-6040: In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local at
nvd
CVE-2024-4897P3HIGHCVSS 8.4fixed in 9.82024-07-02
CVE-2024-4897 [HIGH] CVE-2024-4897: parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insec parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted o
nvd
CVE-2024-6394P3HIGHCVSS 7.5v9.82024-09-30
CVE-2024-6394 [HIGH] CWE-29 CVE-2024-6394: A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulner A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive informat
nvd
CVE-2024-4498P3HIGHCVSS 7.7v9.72024-06-25
CVE-2024-4498 [HIGH] CWE-22 CVE-2024-4498: A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui a A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include
nvd
CVE-2025-1451P3HIGHCVSS 7.5v132025-03-20
CVE-2025-1451 [HIGH] CWE-770 CVE-2025-1451: A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundari A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading to resource exhaustion and eventual denial of service (
nvd
CVE-2024-10019P3MEDIUMCVSS 6.7v122025-03-20
CVE-2024-10019 [MEDIUM] CWE-78 CVE-2024-10019: A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.
nvd
CVE-2024-2288P4HIGHCVSS 8.3fixed in 9.32024-06-06
CVE-2024-2288 [HIGH] CWE-352 CVE-2024-2288: A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by
nvd
CVE-2024-6674P4HIGHCVSS 7.1fixed in 102024-10-29
CVE-2024-6674 [HIGH] CWE-346 CVE-2024-6674: A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensi A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, such as deleting a project or sending a message. The issue
nvd
CVE-2024-1602P4MEDIUMCVSS 6.1v9.02024-04-10
CVE-2024-1602 [MEDIUM] CWE-79 CVE-2024-1602: parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code E parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to s
nvd
CVE-2024-10047P4MEDIUMCVSS 5.3v9.92025-03-20
CVE-2024-10047 [MEDIUM] CWE-36 CVE-2024-10047: parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerabilit parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.
nvd
CVE-2024-6959P4HIGHCVSS 7.1v9.82024-10-13
CVE-2024-6959 [HIGH] CWE-352 CVE-2024-6959: A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack whe A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui inaccessible. This issue is exacerbated by the lack of Cross-Sit
nvd
CVE-2024-8736P4MEDIUMCVSS 6.5v122025-03-20
CVE-2024-8736 [MEDIUM] CWE-352 CVE-2024-8736: A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms- A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application still processes multipart boundaries, leading to resource exhaustion. By
nvd
CVE-2024-6673P4MEDIUMCVSS 6.5fixed in 102024-10-29
CVE-2024-6673 [MEDIUM] CWE-352 CVE-2024-6673: A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `l A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker to trick a victim into installing ComfyUI. If the victim's device does not
nvd
CVE-2024-2299P4MEDIUMCVSS 6.1fixed in 9.52024-05-14
CVE-2024-2299 [MEDIUM] CWE-79 CVE-2024-2299: A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application du A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of uploaded files in the profile picture upload functionality. Attackers can exploit this vulnerability by uploading malicious HTML files containing JavaScript code, which is executed when the file is accessed. This vulnerability
nvd
CVE-2024-6986P4MEDIUMCVSS 5.4v9.82025-03-20
CVE-2024-6986 [MEDIUM] CWE-79 CVE-2024-6986: A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui vers A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'full_template' variable directly as HTML. This allows an attacker to execute malicious JavaScript code by injecting a payload into the 'Sys
nvd
CVE-2024-7058P4MEDIUMCVSS 4.4v102025-03-20
CVE-2024-7058 [MEDIUM] CWE-23 CVE-2024-7058: A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attack A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder on the victim's computer.
nvd
CVE-2024-4330P4LOWCVSS 3.3≥ 9.6, < 9.82024-05-30
CVE-2024-4330 [LOW] CWE-23 CVE-2024-4330: A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulnerability arises due to improper handling of user-supplied input in the 'list_personalities' endpoint. By crafting a malicious HTTP request, an attacker can traverse the directory structure and view the contents of any folder, alb
nvd
Lollms Web Ui vulnerabilities | cvebase