Lollms Web Ui Security Vulnerabilities and Issues — Lollms Web Ui CVE List

Lucene search

LollmsLollms Web Ui

9 matches found

CVE•added 2024/10/29 1:15 p.m.•79 views

CVE-2024-6674

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on behalf of a user, suc...

8.1CVSS7.3AI score0.00047EPSS

CVE•added 2024/04/10 5:15 p.m.•66 views

CVE-2024-1602

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within...

8.8CVSS6.4AI score0.00202EPSS

CVE•added 2025/03/20 10:15 a.m.•64 views

CVE-2024-9920

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the '/open_file' API endpoi...

8.8CVSS7.1AI score0.00572EPSS

CVE•added 2025/03/20 10:15 a.m.•60 views

CVE-2024-9919

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories with...

8.4CVSS8.4AI score0.00062EPSS

CVE•added 2024/05/16 9:15 a.m.•52 views

CVE-2024-3435

A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an a...

8.4CVSS7.6AI score0.00243EPSS

CVE•added 2024/06/06 7:15 p.m.•43 views

CVE-2024-2288

A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, specifically in the parisneo/lollms-webui repository, affecting versions up to 7.3.0. This vulnerability allows attackers to change a victim's profile picture without thei...

8.3CVSS8AI score0.00217EPSS

CVE•added 2024/05/16 9:15 a.m.•42 views

CVE-2024-3126

A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifically within the 'lollms_xtts.py' script. The vulnerability arises due to the improper neutralization of special elements used in an OS command. The affected function util...

8.4CVSS8.5AI score0.01106EPSS

CVE•added 2024/07/02 3:15 p.m.•41 views

CVE-2024-4897

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attac...

8.4CVSS9.4AI score0.52992EPSS

CVE•added 2024/08/01 4:15 p.m.•36 views

CVE-2024-6040

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_bind...

8.8CVSS4.9AI score0.00121EPSS