Critical severity9.1NVD Advisory· Published Jun 12, 2024· Updated Apr 15, 2026

CVE-2024-4315

Description

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The sanitize_path_from_endpoint function fails to properly sanitize Windows-style paths (backward slash \), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including personalities and /del_preset, to read or delete any file on the Windows filesystem, compromising the system's availability.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lollmsPyPI	< 9.5.0	9.5.0

Patches

95ad36eeffc6

https://github.com/parisneo/lollmsvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-vqwr-q6cc-c242ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-4315ghsaADVISORY
github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6nvdWEB
huntr.com/bounties/8a1b0197-2c36-4276-b92b-630a2a9bb09cnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000