LoLLMs WEBUI - Server-Side Request Forgery

LoLLMs WEBUI contains a server-side request forgery caused by unauthenticated access to the /api/proxy endpoint, letting attackers force the server to make arbitrary GET requests, exploit requires no authentication. id: CVE-2026-33340 info: name: LoLLMs WEBUI - Server-Side Request Forgery author:...

LolLMS < 2.2.0 - Server-Side Request Forgery

A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via downloadimagetotemp in backend/routers/files.py without any validation, allowing an unauthenticated...

LOLLMS WebUI - Absolute Path Traversal

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the openfile endpoint of lollmsadvanced.py. The sanitizepath function with allowabsolutepath=True allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can...

LoLLMS WebUI - Subfolder Prediction via Path Traversal

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'addreferencetolocalmode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. id: CVE-2024-4841 info: name: LoLLMS WebUI - Subfolder Prediction via Path...

LoLLMS WebUI < 9.8 - Path Traversal

parisneo/lollms-webui contains a path traversal caused by improper handling of 'category' parameter in /listpersonalities endpoint, letting attackers list arbitrary directories, exploit requires control over 'category' parameter. id: CVE-2024-4322 info: name: LoLLMS WebUI 9.8 - Path Traversal...

CVE-2026-1116

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

CVE-2026-1116

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

CVE-2026-1116 Cross-site Scripting (XSS) in parisneo/lollms

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

CVE-2026-1116

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

CVE-2026-1116

CVE-2026-1116 affects parisneo/lollms, specifically the AppLollmsMessage.from_dict deserialization path. The issue arises from insufficient sanitization/HTML encoding of the content field when processing user-provided data, leading to a Cross-site Scripting (XSS) vulnerability in versions prior t...

CVE-2026-1116 Cross-site Scripting (XSS) in parisneo/lollms

A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...

PT-2026-32142

A Cross-site Scripting XSS vulnerability was identified in the from dict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows ...

LoLLMs 跨站脚本漏洞

LoLLMs is a large language and multimodal system personally developed by Saifeddine ALOUI. Versions of LoLLMs prior to 2.2.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from the fromdict method in the AppLollmsMessage class, which did not clean or encode the content...

PT-2026-32123

I found a Content-Type spoofing vulnerability in the image upload functionality of parisneo/lollms CVE-2026-5728. https://t.co/grkXMU7v9I security websecurity infosec appsec cve python bugbounty...

GHSA-8WRQ-FV5F-PFP2 parisneo/lollms vulnerable to stored XSS in the social feature

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115

CVE-2026-1115 affects parisneo/lollms prior to 2.2.0. A Stored XSS in create_post allows user-supplied content to be stored in DBPost and later rendered in the Home Feed, potentially executing in victims’ browsers and affecting administrators. Affected component: backend/routers/social/init .py. ...

CVE-2026-1115 Stored XSS in parisneo/lollms

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1115 Stored XSS in parisneo/lollms

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

GHSA-8JG2-726G-XH43 parisneo/lollms has an insufficient session expiration vulnerability

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

CVE-2026-1163

CVE-2026-1163 describes an insufficient session expiration in the latest version of parisneo/lollms, where active sessions are not invalidated after a password reset due to missing logic to reject idle requests and a default 31-day session duration. This enables a compromised account to retain ac...