Lollms

Lollms-webui

9 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
7.3

CVE-2024-5125

Exploit
  • EPSS 0.09%
  • Veröffentlicht 14.11.2024 18:15:26
  • Zuletzt bearbeitet 23.12.2025 20:15:46

parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation and processing of SVG files during the upload process. The XSS vulnerability allows attackers to embed malicious JavaSc...

4.4

CVE-2024-6971

Exploit
  • EPSS 0.03%
  • Veröffentlicht 11.10.2024 13:15:16
  • Zuletzt bearbeitet 15.08.2025 20:38:03

A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures ...

3.3

CVE-2024-4839

Exploit
  • EPSS 0.03%
  • Veröffentlicht 24.06.2024 13:15:11
  • Zuletzt bearbeitet 07.07.2025 17:31:29

A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, versions 9.6 to the latest. The affected functions include Elastic search Service (under construction), XTTS service, Peta...

3.3

CVE-2024-4841

Exploit
  • EPSS 9.23%
  • Veröffentlicht 23.06.2024 15:15:09
  • Zuletzt bearbeitet 07.11.2025 16:19:44

A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulne...

8.8

CVE-2024-4403

Exploit
  • EPSS 0.06%
  • Veröffentlicht 10.06.2024 15:15:52
  • Zuletzt bearbeitet 15.08.2025 20:39:51

A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This vulnerability allows attackers to trick users into performing unintended actions, such as resetting the program without t...

9.8

CVE-2024-4267

Exploit
  • EPSS 1.72%
  • Veröffentlicht 22.05.2024 20:15:09
  • Zuletzt bearbeitet 15.08.2025 20:40:20

A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_f...

7.5

CVE-2024-1569

Exploit
  • EPSS 0.12%
  • Veröffentlicht 16.04.2024 00:15:09
  • Zuletzt bearbeitet 07.07.2025 15:52:34

parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can exploit the `/open_code_in_vs_code` and similar endpoints without authentication by sending repeated HTTP POST requests, l...

9.8

CVE-2024-1601

Exploit
  • EPSS 5.48%
  • Veröffentlicht 16.04.2024 00:15:09
  • Zuletzt bearbeitet 07.07.2025 15:54:16

An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to...

8.2

CVE-2024-1646

Exploit
  • EPSS 0.07%
  • Veröffentlicht 16.04.2024 00:15:09
  • Zuletzt bearbeitet 15.08.2025 20:33:28

parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The application checks if the host parameter is not '0.0.0.0' to restrict access, which is inadequate when the application is bound ...