568 matches found
PYSEC-2026-204
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...
CVE-2026-0558
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Dependsgetcurrentactiveus...
CVE-2026-0558 Unauthenticated File Upload in parisneo/lollms
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Dependsgetcurrentactiveus...
CVE-2026-0558 Unauthenticated File Upload in parisneo/lollms
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Dependsgetcurrentactiveus...
CVE-2026-0558
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Dependsgetcurrentactiveus...
CVE-2026-0558
The CVE-2026-0558 issue affects parisneo/lollms up to 2.2.0, where the /api/files/extract-text endpoint accepts file uploads without authentication, lacking the Depends(get_current_active_user) check. This exposes unauthenticated users to DoS via resource exhaustion and potential information disc...
CVE-2026-0560 Server-Side Request Forgery (SSRF) in parisneo/lollms
A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...
CVE-2026-0560 Server-Side Request Forgery (SSRF) in parisneo/lollms
A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...
CVE-2026-0560
A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...
CVE-2026-0560
Summary of the vulnerability (CVE-2026-0560): In parisneo/lollms
CVE-2026-0562 Insecure Direct Object Reference (IDOR) in parisneo/lollms
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...
CVE-2026-0562
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...
CVE-2026-0562 Insecure Direct Object Reference (IDOR) in parisneo/lollms
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...
CVE-2026-0562
CVE-2026-0562 affects parisneo/lollms up to version 2.2.0. The vulnerability is an IDOR in the respond_request() flow at /api/friends/requests/{friendship_id}, where the authenticated user is not checked for membership in the friendship or for being the intended recipient. As described in Red Hat...
LoLLMs 代码问题漏洞
LoLLMs is a large language and multimodal system developed by Saifeddine ALOUI as an individual project. Versions of LoLLMs prior to 2.2.0 contained code vulnerabilities. These vulnerabilities stemmed from the API/export-content endpoint, which did not validate the URLs controlled by users,...
LoLLMs 授权问题漏洞
LoLLMs is a large language and multimodal system developed by Saifeddine ALOUI. Versions of LoLLMs 2.2.0 and earlier contained an authorization vulnerability. This vulnerability stemmed from the lack of mandatory authentication for the/api/files/extract-text endpoint, which could lead to...
LoLLMs 安全漏洞
LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. Versions of LoLLMs prior to 2.2.0 contained security vulnerabilities; these vulnerabilities stemmed from the RespondRequest function not implementing proper authorization checks, which could lead to insecur...
CVE-2026-33340
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...
CVE-2026-33340 LoLLMs WEBUI has unauthenticated Server-Side Request Forgery (SSRF) in /api/proxy endpoint
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...
EUVD-2026-14928
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery SSRF vulnerability has been identified in all known existing versions of lollms-webui. The @router.post"/api/proxy" endpoint allows unauthenticated attackers to...