CVE-2024-6394

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the serve_js function in app.py, which allows attackers to perform path traversal attacks. This can lead to unauthorized access to arbitrary files o...

CVE-2024-6971

A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the lollms_file_system.py file. The functions add_rag_database, toggle_mount_rag_database, and vectorize_folder do not implement security measures such as sanitize_path_from_endpoint or sanitize_path. Thi...

CVE-2024-6040

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_bind...

CVE-2024-5125

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files, which is executed upo...