VYPR

Vendor CVEs

Lollms

All CVEs

75 total · sorted by risk
  • CVE-2026-33340CriMar 24, 2026
    risk 0.60cvss 9.1epss 0.22

    LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows…

  • CVE-2026-1114CriApr 7, 2026
    risk 0.57cvss 9.8epss 0.01

    In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the…

  • CVE-2026-0558CriMar 29, 2026
    risk 0.57cvss 9.8epss 0.00

    A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the…

  • CVE-2024-5443CriJun 22, 2024
    risk 0.57cvss 9.8epss 0.01

    CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue allows attackers to navigate beyond the…

  • CVE-2024-4078CriMay 16, 2024
    risk 0.57cvss 9.8epss 0.01

    A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the…

  • CVE-2024-6085HigJun 27, 2024
    risk 0.56cvss 8.6epss 0.01

    A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this…

  • CVE-2026-1115CriApr 10, 2026
    risk 0.55cvss 9.6epss 0.00

    A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content…

  • CVE-2024-2356CriFeb 2, 2026
    risk 0.55cvss 9.6epss 0.01

    A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a…

  • CVE-2024-11302HigMar 20, 2025
    risk 0.52cvss 8.0epss 0.00

    A missing check_access() function in the lollms_binding_infos module of the parisneo/lollms repository, version V14, allows attackers to add, modify, and remove bindings arbitrarily. This vulnerability affects the /install_binding and /reinstall_binding endpoints, among others,…

  • CVE-2024-4315CriJun 12, 2024
    risk 0.52cvss 9.1epss 0.01

    parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory…

  • CVE-2024-6982HigMar 20, 2025
    risk 0.48cvss 8.4epss 0.00

    A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows…

  • CVE-2026-0562HigMar 29, 2026
    risk 0.47cvss 8.3epss 0.00

    A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks,…

  • CVE-2024-6139HigJun 27, 2024
    risk 0.47cvss 7.3epss 0.01

    A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of…

  • CVE-2026-1117HigFeb 2, 2026
    risk 0.46cvss 8.2epss 0.00

    A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and…

  • CVE-2024-9597HigMar 20, 2025
    risk 0.46cvss 7.1epss 0.00

    A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An…

  • CVE-2026-0560HigMar 29, 2026
    risk 0.42cvss 7.5epss 0.02

    A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing…

  • CVE-2025-6386HigJul 7, 2025
    risk 0.42cvss 7.5epss 0.00

    The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response…

  • CVE-2024-5824HigJun 27, 2024
    risk 0.41cvss 7.4epss 0.00

    A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as…

  • CVE-2024-6281HigJul 20, 2024
    risk 0.40cvss 7.3epss 0.00

    A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to…

  • CVE-2026-1116MedApr 12, 2026
    risk 0.33cvss 6.1epss 0.00

    A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing…

  • CVE-2024-4320Jun 6, 2024
    risk 0.05cvss epss 0.34

    A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. The vulnerability arises due to improper handling of the `name` parameter…

  • CVE-2024-4322May 16, 2024
    risk 0.04cvss epss 0.31

    A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `/list_personalities` endpoint. By manipulating the `category` parameter, an attacker can traverse the directory structure and list any directory on the system. This issue…

  • CVE-2024-1520Apr 10, 2024
    risk 0.04cvss epss 0.48

    An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS…

  • CVE-2024-1601Apr 16, 2024
    risk 0.03cvss epss 0.40

    An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the `/delete_discussion`…

  • CVE-2024-1600Apr 10, 2024
    risk 0.02cvss epss 0.31

    A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired…

  • CVE-2024-6250Jun 27, 2024
    risk 0.01cvss epss 0.02

    An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows…

  • CVE-2024-4841Jun 23, 2024
    risk 0.01cvss epss 0.01

    A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can…

  • CVE-2024-1873Jun 6, 2024
    risk 0.01cvss epss 0.13

    parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpoint improperly handles file paths, allowing attackers to specify absolute paths when interacting with the…

  • CVE-2024-12766Mar 20, 2025
    risk 0.00cvss epss 0.01

    parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized web resources by specifying the…

  • CVE-2024-8736Mar 20, 2025
    risk 0.00cvss epss 0.00

    A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing file uploads, the application…

  • CVE-2024-8898Mar 20, 2025
    risk 0.00cvss epss 0.01

    A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient…

  • CVE-2025-1451Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft requests with excessively long…

  • CVE-2024-6986Mar 20, 2025
    risk 0.00cvss epss 0.00

    A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'full_template' variable directly as HTML. This allows an…

  • CVE-2024-10019Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malicious `server.py` file and…

  • CVE-2024-9920Mar 20, 2025
    risk 0.00cvss epss 0.01

    In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious content and then using the…

  • CVE-2024-9919Mar 20, 2025
    risk 0.00cvss epss 0.00

    A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to…

  • CVE-2024-7058Mar 20, 2025
    risk 0.00cvss epss 0.00

    A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder on the victim's computer.

  • CVE-2024-10047Mar 20, 2025
    risk 0.00cvss epss 0.01

    parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.

  • CVE-2024-8581Mar 20, 2025
    risk 0.00cvss epss 0.01

    A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error.

  • CVE-2024-5125Nov 14, 2024
    risk 0.00cvss epss 0.00

    parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaScript code within SVG files,…

  • CVE-2024-6673Oct 29, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a client ID, allowing an attacker…

  • CVE-2024-6674Oct 29, 2024
    risk 0.00cvss epss 0.00

    A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable attackers to perform actions on…

  • CVE-2024-6959Oct 13, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously process each character, rendering…

  • CVE-2024-6394Sep 30, 2024
    risk 0.00cvss epss 0.01

    A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This can lead to unauthorized…

  • CVE-2024-6040Aug 1, 2024
    risk 0.00cvss epss 0.00

    In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_binding,…

  • CVE-2024-4897Jul 2, 2024
    risk 0.00cvss epss 0.00

    parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo'…

  • CVE-2024-5933Jun 27, 2024
    risk 0.00cvss epss 0.00

    A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of the user's browser.

  • CVE-2024-4498Jun 25, 2024
    risk 0.00cvss epss 0.00

    A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allowing an attacker to…

  • CVE-2024-4839Jun 24, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Petals service, vLLM service, and…

  • CVE-2024-4499Jun 24, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS policy. The vulnerability allows attackers to perform unauthorized actions by tricking a user into visiting a malicious webpage, which can then trigger…

Page 1 of 2