Parisneo Lollms-Webui vulnerabilities
52 known vulnerabilities affecting parisneo/parisneo_lollms-webui.
Total CVEs
52
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL20HIGH21MEDIUM8LOW3
Vulnerabilities
Page 1 of 3
CVE-2024-6250P1HIGHCVSS 7.5ExploitedPoC≥ unspecified, ≤ latest2024-06-27
CVE-2024-6250 [HIGH] CWE-36 CVE-2024-6250: An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitr
nvd
CVE-2024-4841P2LOWCVSS 3.3ExploitedPoC≥ unspecified, ≤ latest2024-06-23
CVE-2024-4841 [LOW] CWE-29 CVE-2024-4841: A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_ref
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The
nvd
CVE-2024-4322P2HIGHCVSS 7.5PoC≥ unspecified, ≤ latest2024-05-16
CVE-2024-4322 [HIGH] CWE-29 CVE-2024-4322: A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directory on the system. This issue affects the latest version of the application. The vulnerability is due to improp
nvd
CVE-2024-1520P1CRITICALCVSS 9.8≥ unspecified, < 9.12024-04-10
CVE-2024-1520 [CRITICAL] CWE-78 CVE-2024-1520: An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lol
An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution on the underlying operatin
nvd
CVE-2024-1601P2CRITICALCVSS 9.8≥ unspecified, < 9.22024-04-16
CVE-2024-1601 [CRITICAL] CWE-89 CVE-2024-1601: An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-w
An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the `/delete_discussion` endpoint, which internally calls the vulnerable `delete_discussion()` functi
nvd
CVE-2024-1600P2CRITICALCVSS 9.3≥ unspecified, < 9.52024-04-10
CVE-2024-1600 [CRITICAL] CWE-98 CVE-2024-1600: A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specific
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attack
nvd
CVE-2024-34359P2CRITICALCVSS 9.6≥ unspecified, ≤ latest2024-05-14
CVE-2024-34359 [CRITICAL] CWE-76 CVE-2024-34359: llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` i
llama-cpp-python is the Python bindings for llama.cpp. `llama-cpp-python` depends on class `Llama` in `llama.py` to load `.gguf` llama.cpp or Latency Machine Learning Models. The `__init__` constructor built in the `Llama` takes several parameters to configure the loading and running of the model. Other than `NUMA, LoRa settings`, `loading tokenize
nvd
CVE-2024-2359P2CRITICALCVSS 9.8≥ unspecified, ≤ latest2024-06-06
CVE-2024-2359 [CRITICAL] CWE-78 CVE-2024-2359: A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises from the application's handling of the `/execute_code` endpoint, which is intended to be blocked from external access by default. However, attackers can exploit the `/update_setting` endpoint, wh
nvd
CVE-2024-4267P2CRITICALCVSS 9.8≥ unspecified, ≤ latest2024-05-22
CVE-2024-4267 [CRITICAL] CWE-77 CVE-2024-4267: A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within
A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulnerability by crafting a malicious file path that, when
nvd
CVE-2024-2360P2CRITICALCVSS 9.8≥ unspecified, ≤ latest2024-06-06
CVE-2024-2360 [CRITICAL] CWE-29 CVE-2024-2360: parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in the 'Database path' and 'PDF LaTeX path' settings. An attacker can exploit this vulnerability by manipulating these settings to execute arbitrary code on the targeted server. The issue affects
nvd
CVE-2024-2358P2CRITICALCVSS 9.8≥ unspecified, ≤ latest2024-05-16
CVE-2024-2358 [CRITICAL] CWE-29 CVE-2024-2358: A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows att
A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises due to insufficient sanitization of user-supplied input in the configuration settings, specifically within the 'extensions' parameter. Attackers can exploit this by crafting a payload that incl
nvd
CVE-2024-1511P2CRITICALCVSS 9.8≥ unspecified, ≤ latest2024-04-10
CVE-2024-1511 [CRITICAL] CWE-22 CVE-2024-1511: The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequ
The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allows an unauthenticated attacker to read, write, and in certain configurations execute arbitrary files on the server by exploiting various endpoints. The vulnerability can be exploited even when t
nvd
CVE-2024-1873P2CRITICALCVSS 9.1≥ unspecified, < v9.32024-06-06
CVE-2024-1873 [CRITICAL] CWE-22 CVE-2024-1873: parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an expose
parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpoint improperly handles file paths, allowing attackers to specify absolute paths when interacting with the `DiscussionsDB` instance. This flaw enables attackers to create directories anywhere on
nvd
CVE-2024-4326P2CRITICALCVSS 9.8≥ unspecified, < 9.52024-05-16
CVE-2024-4326 [CRITICAL] CWE-15 CVE-2024-4326: A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbit
A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through th
nvd
CVE-2024-2624P2CRITICALCVSS 9.8≥ unspecified, < 9.42024-06-06
CVE-2024-2624 [CRITICAL] CWE-29 CVE-2024-2624: A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui applica
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_personal_path")` endpoint in `./lollms-webui/lollms_core/lollms/server/endpoints/lollms_user.py`. The vulnerability arises due to insufficient sanitization of user-supplied input for the `path` parame
nvd
CVE-2024-2356P2CRITICALCVSS 9.6≥ unspecified, < v9.52026-02-02
CVE-2024-2356 [CRITICAL] CWE-29 CVE-2024-2356: A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the pari
A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitra
nvd
CVE-2024-9920P2HIGHCVSS 8.8≥ unspecified, ≤ latest2025-03-20
CVE-2024-9920 [HIGH] CWE-434 CVE-2024-9920: In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with
In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoint to execute these files. The vulnerability arises from
nvd
CVE-2024-3322P3CRITICALCVSS 9.8≥ unspecified, < 9.52024-06-06
CVE-2024-3322 [CRITICAL] CWE-22 CVE-2024-3322: A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the pa
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vulnerability arises from the improper limitation of a pathname to a restricted directory in the 'process_folder' function within 'lollms-webui/zoos/personalities_zoo/cyber_security/codeguard/scrip
nvd
CVE-2024-5482P3CRITICALCVSS 9.8≥ unspecified, ≤ latest2024-06-06
CVE-2024-5482 [CRITICAL] CWE-918 CVE-2024-5482: A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the paris
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version. The vulnerability arises because the application does not adequately validate URLs entered by users, allowing them to input arbitrary URLs, including those that target internal resources such
nvd
CVE-2024-8898P3CRITICALCVSS 9.8≥ unspecified, < V122025-03-20
CVE-2024-8898 [CRITICAL] CWE-22 CVE-2024-8898: A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lol
A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of user-supplied input, which can be exploited to traverse dir
nvd
1 / 3Next →