CVE-2026-1115 Stored XSS in parisneo/lollms

A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...

CVE-2026-1114

In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...

CVE-2024-2356 Remote Code Execution due to LFI in '/reinstall_extension' in parisneo/lollms-webui

A Local File Inclusion LFI vulnerability exists in the '/reinstallextension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post"/reinstallextension" route. This vulnerability allows attackers to inject a malicious name parameter, leading ...

EUVD-2024-2190

Malicious code in bioql PyPI...

EUVD-2024-27312

Malicious code in bioql PyPI...

EUVD-2024-17341

Malicious code in bioql PyPI...

EUVD-2025-6890

Malicious code in bioql PyPI...

EUVD-2025-7123

Malicious code in bioql PyPI...

CVE-2025-6386 Timing Attack Vulnerability in parisneo/lollms

The parisneo/lollms repository is affected by a timing attack vulnerability in the authenticateuser function within the lollmsauthentication.py file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The...

CVE-2024-6040

In parisneo/lollms-webui version v9.8, the lollmsbindinginfos is missing the clientid parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reloadbinding, /installbinding, /reinstallbinding, /unInstallbinding, /setactivebindingsettings, and /updatebindingsettin...

CVE-2024-8581

A vulnerability in the uploadapp function of parisneo/lollms-webui V12 Strawberry allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the filename value, causing a Path Traversal error...

CVE-2024-6986

A Cross-site Scripting XSS vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'fulltemplate' variable directly as HTML. This allows an attacker to execute maliciou...

CVE-2024-8736 Denial of Service (DoS) via Multipart Boundary in parisneo/lollms-webui

A Denial of Service DoS vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 Strawberry. The vulnerability can be exploited remotely via Cross-Site Request Forgery CSRF. Despite CSRF protection preventing file uploads, the application still processes multipa...

CVE-2024-8898 Path Traversal in parisneo/lollms-webui

A path traversal vulnerability exists in the install and uninstall API endpoints of parisneo/lollms-webui version V12 Strawberry. This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of...

CVE-2024-9919 Missing Authentication Check in parisneo/lollms-webui

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/appname API endpoint does not call the checkaccess function to verify the clientid, enabling attackers to delete directories without...

CVE-2024-8581 Path Traversal in parisneo/lollms-webui

A vulnerability in the uploadapp function of parisneo/lollms-webui V12 Strawberry allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the filename value, causing a Path Traversal error...

CVE-2024-6673

CVE-2024-6673 describes a CSRF vulnerability in the Parisneo LoLLMS WebUI. The issue exists in the install_comfyui endpoint of the lollms_comfyui.py file and is triggered via a GET request without client authentication, allowing an attacker to coerce a user into installing ComfyUI. Affected versi...

CVE-2024-6959

A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service DOS attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering lollms-webui...

CVE-2024-6959

A vulnerability (CVE-2024-6959) affects parisneo/lollms-webui version 9.8. The issue allows a Denial of Service when uploading an audio file by appending a large number of characters to the end of a multipart boundary, causing the system to repeatedly process each character and rendering the UI i...

CVE-2024-6985

A path traversal vulnerability exists in the api openpersonalityfolder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personalityfolder on the victim's computer, even though sanitizepath is set. The issue arises due to improper sanitization of t...