Lollms-webui Security Vulnerabilities and Issues — Lollms-webui CVE List

Lucene search

ParisneoLollms-webui

7 matches found

CVE•added 2024/03/30 6:15 p.m.•123 views

CVE-2024-1522

A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the /execute_code API endpoint, which does not properly validate requests, enabling an attacker to craft a mali...

8.8CVSS9.1AI score0.00944EPSS

CVE•added 2024/04/10 5:15 p.m.•66 views

CVE-2024-1602

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within...

8.8CVSS6.4AI score0.00202EPSS

CVE•added 2024/04/16 12:15 a.m.•53 views

CVE-2024-1646

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound to a specific interface, allowing unauthorized ac...

8.2CVSS7AI score0.00088EPSS

CVE•added 2024/05/16 9:15 a.m.•52 views

CVE-2024-3435

A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an a...

8.4CVSS7.6AI score0.00243EPSS

CVE•added 2024/07/02 3:15 p.m.•41 views

CVE-2024-4897

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attac...

8.4CVSS9.4AI score0.52992EPSS

CVE•added 2024/06/10 3:15 p.m.•38 views

CVE-2024-4403

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without their knowledge, by sending specially crafted CSRF...

8.8CVSS4.6AI score0.00055EPSS

CVE•added 2024/08/01 4:15 p.m.•36 views

CVE-2024-6040

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_bind...

8.8CVSS4.9AI score0.00121EPSS