VYPR
Unrated severityNVD Advisory· Published Aug 1, 2024· Updated Oct 15, 2025

Missing client_id in parisneo/lollms-webui

CVE-2024-6040

Description

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding, /set_active_binding_settings, and /update_binding_settings are susceptible to CSRF attacks and local attacks. An attacker can exploit this vulnerability to perform unauthorized actions on the victim's machine.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • Lollms/Lollmsllm-fuzzy
    Range: = v9.8
  • parisneo/parisneo/lollmsv5
    Range: unspecified

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.