VYPR

Lollms

by Lollms

pypi: lollms

Source repositories

CVEs (75)

  • CVE-2026-33340CriMar 24, 2026
    risk 0.60cvss 9.1epss 0.22

    LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows…

  • CVE-2026-1114CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.01

    In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the…

  • CVE-2026-0558CriMar 29, 2026
    risk 0.57cvss 9.8epss 0.00

    A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the…

  • CVE-2024-5443CriJun 22, 2024
    risk 0.57cvss 9.8epss 0.01

    CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue allows attackers to navigate beyond the…

  • CVE-2024-4078CriMay 16, 2024
    risk 0.57cvss 9.8epss 0.01

    A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the…

  • CVE-2024-6085HigJun 27, 2024
    risk 0.56cvss 8.6epss 0.01

    A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this…

  • CVE-2026-1115CriApr 10, 2026
    risk 0.55cvss 9.6epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content…

  • CVE-2024-2356CriFeb 2, 2026
    risk 0.55cvss 9.6epss 0.01

    A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a…

  • CVE-2024-11302HigMar 20, 2025
    risk 0.52cvss 8.0epss 0.00

    A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others,…

  • CVE-2024-4315CriJun 12, 2024
    risk 0.52cvss 9.1epss 0.01

    parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory…

  • CVE-2024-6982HigMar 20, 2025
    risk 0.48cvss 8.4epss 0.00

    A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows…

  • CVE-2026-0562HigMar 29, 2026
    risk 0.47cvss 8.3epss 0.00

    A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks,…

  • CVE-2024-6139HigJun 27, 2024
    risk 0.47cvss 7.3epss 0.01

    A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of…

  • CVE-2026-1117HigFeb 2, 2026
    risk 0.46cvss 8.2epss 0.00

    A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and…

  • CVE-2024-9597HigMar 20, 2025
    risk 0.46cvss 7.1epss 0.00

    A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An…

  • CVE-2026-0560HigMar 29, 2026
    risk 0.42cvss 7.5epss 0.02

    A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing…

  • CVE-2025-6386HigJul 7, 2025
    risk 0.42cvss 7.5epss 0.00

    The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response…

  • CVE-2024-5824HigJun 27, 2024
    risk 0.41cvss 7.4epss 0.00

    A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as…

  • CVE-2024-6281HigJul 20, 2024
    risk 0.40cvss 7.3epss 0.00

    A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to…

  • CVE-2026-1116MedApr 12, 2026
    risk 0.33cvss 6.1epss 0.00

    A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing…

Page 1 of 4