cbcvebase.

Parisneo Lollms-Webui vulnerabilities

52 known vulnerabilities affecting parisneo/parisneo_lollms-webui.

Total CVEs
52
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL20HIGH21MEDIUM8LOW3

Vulnerabilities

Page 2 of 3
CVE-2024-2361P3CRITICALCVSS 9.6≥ unspecified, ≤ latest2024-05-16
CVE-2024-2361 [CRITICAL] CWE-29 CVE-2024-2361: A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insuff A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, the issue resides in the `install_model()` function within `lollms_core/lollms/binding.py`, where the application fails to properly sanitize the `file://` protocol and other inputs, leading to a
nvd
CVE-2024-2362P3CRITICALCVSS 9.1≥ unspecified, ≤ latest2024-06-06
CVE-2024-2362 [CRITICAL] CWE-36 CVE-2024-2362: A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platfo A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Windows and Linux environments, an attacker can exploit this vulnerability to delete any file on the system. The issue arises from the lack of adequate sanitization of user-supplied input in the 'del
nvd
CVE-2024-2366P3CRITICALCVSS 9.0≥ unspecified, ≤ latest2024-05-16
CVE-2024-2366 [CRITICAL] CWE-77 CVE-2024-2366: A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate t
nvd
CVE-2024-8581P3CRITICALCVSS 9.1≥ unspecified, < v142025-03-20
CVE-2024-8581 [CRITICAL] CWE-22 CVE-2024-8581: A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an att A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error.
nvd
CVE-2024-3126P3HIGHCVSS 8.4≥ unspecified, < 9.52024-05-16
CVE-2024-3126 [HIGH] CWE-78 CVE-2024-3126: A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollm A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function utilizes 'subprocess.Popen' to execute a command constructed
nvd
CVE-2024-9919P3HIGHCVSS 8.4≥ unspecified, ≤ latest2025-03-20
CVE-2024-9919 [HIGH] CWE-306 CVE-2024-9919: A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attacke A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.
nvd
CVE-2024-2548P3HIGHCVSS 7.5≥ unspecified, < 9.52024-06-06
CVE-2024-2548 [HIGH] CWE-36 CVE-2024-2548: A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server/endpoints/lollms_binding_files_server.py` and `lollms_core/lollms/security.py` files. Due to inadequate validation of file paths between Windows and Linux environments using `Path(path).is_absolute()`, attackers can exploit th
nvd
CVE-2024-1522P3HIGHCVSS 8.8≥ unspecified, < 9.22024-03-30
CVE-2024-1522 [HIGH] CWE-352 CVE-2024-1522: A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits
nvd
CVE-2024-12766P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2024-12766 [HIGH] CWE-918 CVE-2024-12766: parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulner parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the JSON parameter `{"url":"http://steal.target"}`. Existing security mechani
nvd
CVE-2024-3435P3HIGHCVSS 8.4≥ unspecified, < 9.52024-05-16
CVE-2024-3435 [HIGH] CWE-29 CVE-2024-3435: A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui a A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker to manipulate the application's configuration by
nvd
CVE-2024-1646P3HIGHCVSS 8.2≥ unspecified, < 9.32024-04-16
CVE-2024-1646 [HIGH] CWE-288 CVE-2024-1646: parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sen parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized access to endpoints such as '/restart_program', '/update_s
nvd
CVE-2024-2178P3HIGHCVSS 7.5≥ unspecified, ≤ latest2024-06-02
CVE-2024-2178 [HIGH] CWE-29 CVE-2024-2178: A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in the 'lollms_personalities_infos.py' file. This vulnerability allows attackers to read arbitrary files by manipulating the 'category' and 'name' parameters during the 'Copy to custom personas folder for editing' process. By ins
nvd
CVE-2024-6394P3HIGHCVSS 7.5≥ unspecified, ≤ latest2024-09-30
CVE-2024-6394 [HIGH] CWE-29 CVE-2024-6394: A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulner A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files on the server, potentially exposing sensitive informat
nvd
CVE-2024-4498P3HIGHCVSS 7.7≥ unspecified, ≤ latest2024-06-25
CVE-2024-4498 [HIGH] CWE-22 CVE-2024-4498: A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui a A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to manipulate the `discussion_db_name` parameter to traverse the file system and include
nvd
CVE-2024-1569P3HIGHCVSS 7.5≥ unspecified, < 9.22024-04-16
CVE-2024-1569 [HIGH] CWE-400 CVE-2024-1569: parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the `/open_code_in_vs_code` and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of Visual Studio Code or the default folder opener (e.g., File Explorer, xdg-open)
nvd
CVE-2025-1451P3HIGHCVSS 7.5≥ unspecified, ≤ latest2025-03-20
CVE-2025-1451 [HIGH] CWE-770 CVE-2025-1451: A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundari A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long boundaries, leading to resource exhaustion and eventual denial of service (
nvd
CVE-2024-4403P3HIGHCVSS 8.8≥ unspecified, ≤ latest2024-06-10
CVE-2024-4403 [HIGH] CWE-352 CVE-2024-4403: A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the pari A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF forms. This issue affects the installation process, inc
nvd
CVE-2024-10019P3MEDIUMCVSS 6.7≥ unspecified, ≤ latest2025-03-20
CVE-2024-10019 [MEDIUM] CWE-78 CVE-2024-10019: A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and execute arbitrary code by exploiting the path traversal vulnerability.
nvd
CVE-2024-4328P3HIGHCVSS 8.1≥ unspecified, ≤ latest2024-06-10
CVE-2024-4328 [HIGH] CWE-352 CVE-2024-4328: A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list functio A Cross-Site Request Forgery (CSRF) vulnerability exists in the clear_personality_files_list function of the parisneo/lollms-webui v9.6. The vulnerability arises from the use of a GET request to clear personality files list, which lacks proper CSRF protection. This flaw allows attackers to trick users into performing actions without their consent, such
nvd
CVE-2024-2288P4HIGHCVSS 8.3≥ unspecified, < 9.32024-06-06
CVE-2024-2288 [HIGH] CWE-352 CVE-2024-2288: A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without their consent, potentially leading to a denial of service by
nvd
Parisneo Lollms-Webui vulnerabilities | cvebase