Critical severity9.8NVD Advisory· Published Mar 29, 2026· Updated Mar 31, 2026

CVE-2026-0558

Description

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Depends(get_current_active_user) dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.

Affected products

Lollms/Lollms
cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*
Range: <=2.1.0

Patches

a6625dc83786

https://github.com/parisneo/lollmsvia nvd-ref

commit

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3nvdPatch
huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113nvdExploitIssue TrackingThird Party Advisory

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000