High severity7.5NVD Advisory· Published Mar 29, 2026· Updated Mar 31, 2026
CVE-2026-0560
CVE-2026-0560
Description
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The _download_image_to_temp() function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
2- github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263nvdPatch
- huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5nvdExploitIssue TrackingThird Party Advisory
News mentions
0No linked articles in our index yet.