Lollms

Lollms Web Ui

45 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
9.1

CVE-2024-8581

Exploit
  • EPSS 0.22%
  • Veröffentlicht 20.03.2025 10:09:25
  • Zuletzt bearbeitet 15.10.2025 13:15:55

A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Tr...

7.1

CVE-2024-6674

Exploit
  • EPSS 0.15%
  • Veröffentlicht 29.10.2024 13:15:08
  • Zuletzt bearbeitet 01.11.2024 20:34:18

A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. This vulnerability can also enable atta...

6.5

CVE-2024-6673

Exploit
  • EPSS 0.08%
  • Veröffentlicht 29.10.2024 13:15:08
  • Zuletzt bearbeitet 01.11.2024 20:37:28

A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. The endpoint uses the GET method without requiring a clie...

7.1

CVE-2024-6959

Exploit
  • EPSS 0.13%
  • Veröffentlicht 13.10.2024 13:15:10
  • Zuletzt bearbeitet 03.11.2024 17:15:15

A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If an attacker appends a large number of characters to the end of a multipart boundary, the system will continuously proces...

7.5

CVE-2024-6394

Exploit
  • EPSS 0.51%
  • Veröffentlicht 30.09.2024 08:15:03
  • Zuletzt bearbeitet 09.07.2025 14:18:48

A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified path concatenation in the `serve_js` function in `app.py`, which allows attackers to perform path traversal attacks. This...

8.8

CVE-2024-6040

Exploit
  • EPSS 0.06%
  • Veröffentlicht 01.08.2024 16:15:06
  • Zuletzt bearbeitet 15.10.2025 13:15:49

In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifically, the endpoints /reload_binding, /install_binding, /reinstall_binding, /unInstall_bindin...

8.4

CVE-2024-4897

Exploit
  • EPSS 1.1%
  • Veröffentlicht 02.07.2024 15:15:11
  • Zuletzt bearbeitet 09.07.2025 14:22:10

parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the applic...

7.5

CVE-2024-6250

Exploit
  • EPSS 11.25%
  • Veröffentlicht 27.06.2024 19:15:20
  • Zuletzt bearbeitet 09.07.2025 14:23:34

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files...

5.4

CVE-2024-5933

Exploit
  • EPSS 0.13%
  • Veröffentlicht 27.06.2024 19:15:17
  • Zuletzt bearbeitet 13.02.2025 15:43:43

A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This vulnerability allows an attacker to inject malicious scripts via chat messages, which are then executed in the context of...

7.7

CVE-2024-4498

Exploit
  • EPSS 0.2%
  • Veröffentlicht 25.06.2024 20:15:12
  • Zuletzt bearbeitet 09.07.2025 14:24:04

A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions v9.7 to the latest. The vulnerability arises from insufficient input validation in the `/apply_settings` function, allo...