Lollms-webui Security Vulnerabilities and Issues — Lollms-webui CVE List

Lucene search

LollmsLollms-webui

8 matches found

CVE•added 2024/04/16 12:15 a.m.•54 views

CVE-2024-1646

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized ac...

8.2CVSS7AI score0.00067EPSS

Web

CVE•added 2024/05/22 8:15 p.m.•53 views

CVE-2024-4267

A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulne...

9.8CVSS8.9AI score0.01273EPSS

CVE•added 2024/04/16 12:15 a.m.•46 views

CVE-2024-1601

An SQL injection vulnerability exists in the delete_discussion() function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the /delete_discussion endpoint, which internally ...

9.8CVSS7.6AI score0.00274EPSS

Web

CVE•added 2024/04/16 12:15 a.m.•40 views

CVE-2024-1569

parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the /open_code_in_vs_code and similar endpoints without authentication by sending repeated HTTP POST requests, leading to the opening of Visual Studio Code or the ...

7.5CVSS7.1AI score0.00122EPSS

CVE•added 2024/10/11 1:15 p.m.•40 views

CVE-2024-6971

A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the lollms_file_system.py file. The functions add_rag_database, toggle_mount_rag_database, and vectorize_folder do not implement security measures such as sanitize_path_from_endpoint or sanitize_path. Thi...

4.4CVSS3.8AI score0.00028EPSS

CVE•added 2024/06/10 3:15 p.m.•39 views

CVE-2024-4403

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF...

8.8CVSS4.6AI score0.00055EPSS

CVE•added 2024/06/24 1:15 p.m.•35 views

CVE-2024-4839

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and Motion Ctrl service...

4.4CVSS4.7AI score0.0003EPSS

CVE•added 2024/11/14 6:15 p.m.•35 views

CVE-2024-5125

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upo...

7.3CVSS6.7AI score0.00028EPSS