Lollms

Lollms Web Ui

45 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.5

CVE-2024-12766

Exploit
  • EPSS 0.12%
  • Veröffentlicht 20.03.2025 10:11:20
  • Zuletzt bearbeitet 08.07.2025 16:24:32

parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/proxy` REST API. Attackers can exploit this vulnerability to abuse the victim server's credentials to access unauthorized we...

6.5

CVE-2024-8736

Exploit
  • EPSS 0.07%
  • Veröffentlicht 20.03.2025 10:11:17
  • Zuletzt bearbeitet 04.04.2025 09:15:16

A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). The vulnerability can be exploited remotely via Cross-Site Request Forgery (CSRF). Despite CSRF protection preventing ...

9.8

CVE-2024-8898

Exploit
  • EPSS 0.12%
  • Veröffentlicht 20.03.2025 10:10:58
  • Zuletzt bearbeitet 01.04.2025 20:30:45

A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue ...

7.5

CVE-2025-1451

Exploit
  • EPSS 0.25%
  • Veröffentlicht 20.03.2025 10:10:49
  • Zuletzt bearbeitet 15.10.2025 13:16:01

A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server does not limit or validate the length of the boundary or the characters appended to it, allowing an attacker to craft r...

5.4

CVE-2024-6986

Exploit
  • EPSS 0.05%
  • Veröffentlicht 20.03.2025 10:10:40
  • Zuletzt bearbeitet 08.07.2025 16:14:33

A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is due to the improper use of the 'v-html' directive, which inserts the content of the 'full_template' variable directly as...

6.7

CVE-2024-10019

Exploit
  • EPSS 0.06%
  • Veröffentlicht 20.03.2025 10:10:14
  • Zuletzt bearbeitet 15.10.2025 13:15:33

A vulnerability in the `start_app_server` function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS command injection. The function does not properly sanitize the `app_name` parameter, enabling an attacker to upload a malici...

8.8

CVE-2024-9920

Exploit
  • EPSS 0.89%
  • Veröffentlicht 20.03.2025 10:10:08
  • Zuletzt bearbeitet 03.04.2025 18:02:58

In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with malicious c...

8.4

CVE-2024-9919

Exploit
  • EPSS 0.03%
  • Veröffentlicht 20.03.2025 10:09:56
  • Zuletzt bearbeitet 15.10.2025 13:15:59

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_...

4.4

CVE-2024-7058

Exploit
  • EPSS 0.05%
  • Veröffentlicht 20.03.2025 10:09:45
  • Zuletzt bearbeitet 08.07.2025 16:10:59

A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization by using relative paths such as './'. This can lead to unauthorized access to directories within the personality_folder...

5.3

CVE-2024-10047

Exploit
  • EPSS 1.06%
  • Veröffentlicht 20.03.2025 10:09:35
  • Zuletzt bearbeitet 08.07.2025 16:28:09

parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitrary directories on a Windows system by sending a specially crafted HTTP request to the /open_file endpoint.