cbcvebase.

Parisneo Lollms vulnerabilities

28 known vulnerabilities affecting parisneo/parisneo_lollms.

Total CVEs
28
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL8HIGH13MEDIUM6LOW1

Vulnerabilities

Page 2 of 2
CVE-2024-9597P3HIGHCVSS 7.1≥ unspecified, ≤ latest2025-03-20
CVE-2024-9597 [HIGH] CWE-22 CVE-2024-9597: A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v1 A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An attacker can exploit this by sending a specially crafted HTTP request to dele
nvd
CVE-2024-4499P4MEDIUMCVSS 6.3≥ unspecified, ≤ latest2024-06-24
CVE-2024-4499 [MEDIUM] CWE-352 CVE-2024-4499: A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms versi A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger arbitrary LoLLMS-XTTS API requests. This issue can lead to the reading and w
nvd
CVE-2026-1116P4MEDIUMCVSS 6.1≥ unspecified, < 2.2.02026-04-12
CVE-2026-1116 [MEDIUM] CWE-79 CVE-2026-1116: A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollm A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScrip
nvd
CVE-2024-6985P4MEDIUMCVSS 4.4≥ unspecified, < 5.9.02024-10-11
CVE-2024-6985 [MEDIUM] CWE-23 CVE-2024-6985: A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploit
nvd
CVE-2026-1163P4MEDIUMCVSS 4.1≥ unspecified, ≤ latest2026-04-08
CVE-2026-1163 [MEDIUM] CWE-613 CVE-2026-1163: An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. Th An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long
nvd
CVE-2024-3121P4LOWCVSS 3.3≥ unspecified, ≤ latest2024-06-24
CVE-2024-3121 [LOW] CWE-94 CVE-2024-3121: A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a se
nvd
CVE-2024-7058P4MEDIUMCVSS 4.4≥ unspecified, ≤ latest2025-03-20
CVE-2024-7058 [MEDIUM] CWE-23 CVE-2024-7058: A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attack A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder on the victim's computer.
nvd
CVE-2024-6971P4MEDIUMCVSS 4.4≥ unspecified, ≤ latest2024-10-11
CVE-2024-6971 [MEDIUM] CWE-22 CVE-2024-6971: A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the ` A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize o
nvd
Parisneo Lollms vulnerabilities | cvebase