cbcvebase.

Parisneo Lollms vulnerabilities

28 known vulnerabilities affecting parisneo/parisneo_lollms.

Total CVEs
28
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH13MEDIUM6LOW1

Vulnerabilities

Page 1 of 2
CVE-2026-0560P2HIGHCVSS 7.5PoC≥ unspecified, < 2.2.02026-03-29
CVE-2026-0560 [HIGH] CWE-918 CVE-2026-0560: A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0 A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud me
nvd
CVE-2024-4320P2CRITICALCVSS 9.8≥ unspecified, < 9.82024-06-06
CVE-2024-4320 [CRITICAL] CWE-29 CVE-2024-4320: A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the paris A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter in the `ExtensionBuilder().build_extension()` method, which allows for l
nvd
CVE-2024-3429P2CRITICALCVSS 9.8≥ unspecified, < 9.62024-06-06
CVE-2024-3429 [CRITICAL] CWE-29 CVE-2024-3429: A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `s A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-su
nvd
CVE-2026-1114P2CRITICALCVSS 9.8≥ unspecified, < 2.2.02026-04-07
CVE-2026-1114 [CRITICAL] CWE-284 CVE-2026-1114: In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper acc In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge admini
nvd
CVE-2024-4078P2CRITICALCVSS 9.8≥ unspecified, < main2024-05-16
CVE-2024-4078 [CRITICAL] CWE-77 CVE-2024-4078: A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows fo A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and exec
nvd
CVE-2026-0558P3CRITICALCVSS 9.8≥ unspecified, < 2.2.02026-03-29
CVE-2026-0558 [CRITICAL] CWE-287 CVE-2026-0558: A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial o
nvd
CVE-2024-6085P3HIGHCVSS 8.6≥ unspecified, ≤ latest2024-06-27
CVE-2024-6085 [HIGH] CWE-22 CVE-2024-6085: A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9. A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows a
nvd
CVE-2026-0562P3HIGHCVSS 8.3≥ unspecified, < 2.2.02026-03-29
CVE-2026-0562 [HIGH] CWE-863 CVE-2026-0562: A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated u A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the
nvd
CVE-2024-4315P3CRITICALCVSS 9.1≥ unspecified, < 9.82024-06-12
CVE-2024-4315 [CRITICAL] CWE-22 CVE-2024-4315: parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through
nvd
CVE-2026-1117P3HIGHCVSS 8.2≥ unspecified, < 2.0.02026-02-02
CVE-2026-1117 [HIGH] CWE-284 CVE-2026-1117: A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allo A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks.
nvd
CVE-2024-6982P3HIGHCVSS 8.4≥ unspecified, < 9.102025-03-20
CVE-2024-6982 [HIGH] CWE-94 CVE-2024-6982: A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9. A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `
nvd
CVE-2024-6040P3HIGHCVSS 8.8≥ unspecified, ≤ latest2024-08-01
CVE-2024-6040 [HIGH] CWE-352 CVE-2024-6040: In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local at
nvd
CVE-2024-4881P3HIGHCVSS 7.5≥ unspecified, < 5.9.02024-06-06
CVE-2024-4881 [HIGH] CWE-36 CVE-2024-4881: A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 an A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Wind
nvd
CVE-2024-6139P3HIGHCVSS 7.3≥ unspecified, ≤ latest2024-06-27
CVE-2024-6139 [HIGH] CWE-29 CVE-2024-6139: A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6 A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.
nvd
CVE-2024-6581P3CRITICALCVSS 9.0≥ unspecified, < 9.92024-10-29
CVE-2024-6581 [CRITICAL] CWE-79 CVE-2024-6581: A vulnerability in the discussion image upload function of the Lollms application, version v9.9, all A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script
nvd
CVE-2026-1115P3CRITICALCVSS 9.6≥ unspecified, < 2.2.02026-04-10
CVE-2026-1115 [CRITICAL] CWE-79 CVE-2026-1115: A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/l A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This al
nvd
CVE-2025-6386P3HIGHCVSS 7.5≥ unspecified, < 20.12025-07-07
CVE-2025-6386 [HIGH] CWE-203 CVE-2025-6386: The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_use The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolve
nvd
CVE-2024-5824P3HIGHCVSS 7.4≥ unspecified, < latest2024-06-27
CVE-2024-5824 [HIGH] CWE-22 CVE-2024-5824: A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.
nvd
CVE-2024-11302P3HIGHCVSS 8.0≥ unspecified, ≤ latest2025-03-20
CVE-2024-11302 [HIGH] CWE-304 CVE-2024-11302: A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms reposito A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others, enabling unauthorized access and manipulation of binding settings without
nvd
CVE-2024-6281P3HIGHCVSS 7.3≥ unspecified, < 9.5.12024-07-20
CVE-2024-6281 [HIGH] CWE-22 CVE-2024-6281: A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions p A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.
nvd
Parisneo Lollms vulnerabilities | cvebase