High severity7.4NVD Advisory· Published Jun 27, 2024· Updated Apr 15, 2026

CVE-2024-5824

Description

A path traversal vulnerability in the /set_personality_config endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the configs/config.yaml file. This can lead to remote code execution by changing server configuration properties such as force_accept_remote_access and turn_on_code_validation.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
lollmsPyPI	< 9.5.0	9.5.0

Patches

eda3af5f5c4e

https://github.com/parisneo/lollmsvia ghsa

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-m45c-v46h-c788ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-5824ghsaADVISORY
github.com/parisneo/lollms/commit/eda3af5f5c4ea9b2f3569f72f8d05989e29367fcnvdWEB
huntr.com/bounties/9ceb7cf9-a7cd-4699-b3f8-d0999d2b49fdnvdWEB

News mentions

No linked articles in our index yet.

cvss	0.481
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000