Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/32282?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/32282?format=api", "purl": "pkg:pypi/lollms@9.5.1", "type": "pypi", "namespace": "", "name": "lollms", "version": "9.5.1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": null, "latest_non_vulnerable_version": null, "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/79139?format=api", "vulnerability_id": "VCID-4yfc-ecwf-x7b1", "summary": "An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1163", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03181", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03173", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03168", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03185", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-1163" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1163", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1163" }, { "reference_url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b", "reference_id": "abe2d1c4-c21c-4608-8a8e-274565246a8b", "reference_type": "", "scores": [ { "value": "4.1", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "4.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:58:28Z/" } ], "url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b" }, { "reference_url": "https://github.com/advisories/GHSA-8jg2-726g-xh43", "reference_id": "GHSA-8jg2-726g-xh43", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8jg2-726g-xh43" } ], "fixed_packages": [], "aliases": [ "CVE-2026-1163", "GHSA-8jg2-726g-xh43" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-4yfc-ecwf-x7b1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50598?format=api", "vulnerability_id": "VCID-ar4r-4cnr-13gc", "summary": "A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6581", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.01646", "scoring_system": "epss", "scoring_elements": "0.82456", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.01646", "scoring_system": "epss", "scoring_elements": "0.82452", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.01646", "scoring_system": "epss", "scoring_elements": "0.82461", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.01646", "scoring_system": "epss", "scoring_elements": "0.8239", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6581" }, { "reference_url": "https://github.com/advisories/GHSA-cm59-8rmv-f2cj", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-cm59-8rmv-f2cj" }, { "reference_url": "https://github.com/parisneo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parisneo/lollms" }, { "reference_url": "https://github.com/pypa/advisory-database/tree/main/vulns/lollms/PYSEC-2024-116.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/pypa/advisory-database/tree/main/vulns/lollms/PYSEC-2024-116.yaml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6581", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6581" }, { "reference_url": "https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd", "reference_id": "328b960a0de2097e13654ac752253e9541521ddd", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:17:31Z/" } ], "url": "https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd" }, { "reference_url": "https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7", "reference_id": "ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:17:31Z/" } ], "url": "https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7" } ], "fixed_packages": [], "aliases": [ "CVE-2024-6581", "GHSA-cm59-8rmv-f2cj", "PYSEC-2024-116" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-ar4r-4cnr-13gc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50008?format=api", "vulnerability_id": "VCID-au6c-n4km-4bfz", "summary": "A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6139", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30906", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30907", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30709", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00121", "scoring_system": "epss", "scoring_elements": "0.30923", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6139" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6139", "reference_id": "CVE-2024-6139", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6139" }, { "reference_url": "https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0", "reference_id": "fd00f112-efd0-40a1-8227-d6733716e4c0", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-27T20:06:46Z/" } ], "url": "https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0" }, { "reference_url": "https://github.com/advisories/GHSA-w9qf-83jg-2x6c", "reference_id": "GHSA-w9qf-83jg-2x6c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9qf-83jg-2x6c" } ], "fixed_packages": [], "aliases": [ "CVE-2024-6139", "GHSA-w9qf-83jg-2x6c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-au6c-n4km-4bfz" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/110556?format=api", "vulnerability_id": "VCID-f5pj-epgg-cka3", "summary": "The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6386", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49803", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49809", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49666", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0026", "scoring_system": "epss", "scoring_elements": "0.49821", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-6386" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6386", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-6386" }, { "reference_url": "https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67", "reference_id": "6da05485-d219-4f18-9ffc-991053524b67", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:22:38Z/" } ], "url": "https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67" }, { "reference_url": "https://github.com/parisneo/lollms/commit/f78437f7b5aa39a78c6201912faf4e0645a38c48", "reference_id": "f78437f7b5aa39a78c6201912faf4e0645a38c48", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:22:38Z/" } ], "url": "https://github.com/parisneo/lollms/commit/f78437f7b5aa39a78c6201912faf4e0645a38c48" }, { "reference_url": "https://github.com/advisories/GHSA-j5pr-vrjj-9v4h", "reference_id": "GHSA-j5pr-vrjj-9v4h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j5pr-vrjj-9v4h" } ], "fixed_packages": [], "aliases": [ "CVE-2025-6386", "GHSA-j5pr-vrjj-9v4h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-f5pj-epgg-cka3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50721?format=api", "vulnerability_id": "VCID-jpg6-7hr6-d7ah", "summary": "A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6085", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.33067", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.33245", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.33268", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00134", "scoring_system": "epss", "scoring_elements": "0.33248", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6085" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6085", "reference_id": "CVE-2024-6085", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6085" }, { "reference_url": "https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe", "reference_id": "d2fb73d7-4b4f-451a-8763-484c189a27fe", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-05T14:03:35Z/" } ], "url": "https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe" }, { "reference_url": "https://github.com/advisories/GHSA-9chm-m6x2-6fvc", "reference_id": "GHSA-9chm-m6x2-6fvc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-9chm-m6x2-6fvc" } ], "fixed_packages": [], "aliases": [ "CVE-2024-6085", "GHSA-9chm-m6x2-6fvc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jpg6-7hr6-d7ah" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50755?format=api", "vulnerability_id": "VCID-p99a-pyqn-cfbf", "summary": "A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize operations on `.sqlite` files in any directory on the victim's computer, potentially installing multiple packages and causing a crash.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6971", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08249", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08244", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08213", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00027", "scoring_system": "epss", "scoring_elements": "0.08245", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6971" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://github.com/ParisNeo/lollms/commit/aeace796d861e922133b769710019608a6363264", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms/commit/aeace796d861e922133b769710019608a6363264" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6971", "reference_id": "CVE-2024-6971", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6971" }, { "reference_url": "https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e", "reference_id": "fbfe7cd0-99fb-4305-bd07-8b573364109e", "reference_type": "", "scores": [ { "value": "3.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" }, { "value": "3.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" }, { "value": "1.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T14:31:13Z/" } ], "url": "https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e" }, { "reference_url": "https://github.com/advisories/GHSA-7pgr-32fx-c6x9", "reference_id": "GHSA-7pgr-32fx-c6x9", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7pgr-32fx-c6x9" } ], "fixed_packages": [], "aliases": [ "CVE-2024-6971", "GHSA-7pgr-32fx-c6x9" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p99a-pyqn-cfbf" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50695?format=api", "vulnerability_id": "VCID-qmrn-43fj-s3ac", "summary": "A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6985", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17224", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17053", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17212", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00053", "scoring_system": "epss", "scoring_elements": "0.17198", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6985" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620", "reference_id": "28ee567a9a120967215ff19b96ab7515ce469620", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T16:13:21Z/" } ], "url": "https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620" }, { "reference_url": "https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a", "reference_id": "79c11579-47d8-4e68-8466-b47c3bf5ef6a", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T16:13:21Z/" } ], "url": "https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6985", "reference_id": "CVE-2024-6985", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6985" }, { "reference_url": "https://github.com/advisories/GHSA-6h64-g7cj-hj56", "reference_id": "GHSA-6h64-g7cj-hj56", "reference_type": "", "scores": [ { "value": "4.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6h64-g7cj-hj56" } ], "fixed_packages": [], "aliases": [ "CVE-2024-6985", "GHSA-6h64-g7cj-hj56", "PYSEC-2024-122" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qmrn-43fj-s3ac" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50204?format=api", "vulnerability_id": "VCID-uqk3-zhhb-qbf3", "summary": "A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6982", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34063", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.33865", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.34042", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6982" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6982", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6982" }, { "reference_url": "https://github.com/parisneo/lollms/commit/30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832", "reference_id": "30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:49:52Z/" } ], "url": "https://github.com/parisneo/lollms/commit/30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832" }, { "reference_url": "https://huntr.com/bounties/4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea", "reference_id": "4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea", "reference_type": "", "scores": [ { "value": "8.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:49:52Z/" } ], "url": "https://huntr.com/bounties/4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea" }, { "reference_url": "https://github.com/advisories/GHSA-jccx-m9v4-9hwh", "reference_id": "GHSA-jccx-m9v4-9hwh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jccx-m9v4-9hwh" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378120?format=api", "purl": "pkg:pypi/lollms@11.0.0", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4yfc-ecwf-x7b1" }, { "vulnerability": "VCID-f5pj-epgg-cka3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@11.0.0" } ], "aliases": [ "CVE-2024-6982", "GHSA-jccx-m9v4-9hwh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-uqk3-zhhb-qbf3" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/64001?format=api", "vulnerability_id": "VCID-yden-h68w-uuex", "summary": "A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3121", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35309", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35494", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.3551", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0015", "scoring_system": "epss", "scoring_elements": "0.35488", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-3121" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3121", "reference_id": "CVE-2024-3121", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-3121" }, { "reference_url": "https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b", "reference_id": "db57c343-9b80-4c1c-9ab0-9eef92c9b27b", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "6.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-26T19:04:19Z/" } ], "url": "https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b" }, { "reference_url": "https://github.com/advisories/GHSA-79h8-gxhq-q3jg", "reference_id": "GHSA-79h8-gxhq-q3jg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-79h8-gxhq-q3jg" } ], "fixed_packages": [], "aliases": [ "CVE-2024-3121", "GHSA-79h8-gxhq-q3jg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yden-h68w-uuex" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50011?format=api", "vulnerability_id": "VCID-13n2-acu3-myc6", "summary": "A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6281", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19113", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.1928", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19282", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.19303", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-6281" }, { "reference_url": "https://github.com/parisneo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/parisneo/lollms" }, { "reference_url": "https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61", "reference_id": "0a62f2fb-4e62-4128-9dc4-e8f1d959ac61", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T15:08:15Z/" } ], "url": "https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61" }, { "reference_url": "https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092", "reference_id": "26a3ff35acf152b49e1087d5698ad4864c7b6092", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T15:08:15Z/" } ], "url": "https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6281", "reference_id": "CVE-2024-6281", "reference_type": "", "scores": [ { "value": "7.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6281" }, { "reference_url": "https://github.com/advisories/GHSA-8mrm-r7h3-c3hj", "reference_id": "GHSA-8mrm-r7h3-c3hj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8mrm-r7h3-c3hj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32282?format=api", "purl": "pkg:pypi/lollms@9.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4yfc-ecwf-x7b1" }, { "vulnerability": "VCID-ar4r-4cnr-13gc" }, { "vulnerability": "VCID-au6c-n4km-4bfz" }, { "vulnerability": "VCID-f5pj-epgg-cka3" }, { "vulnerability": "VCID-jpg6-7hr6-d7ah" }, { "vulnerability": "VCID-p99a-pyqn-cfbf" }, { "vulnerability": "VCID-qmrn-43fj-s3ac" }, { "vulnerability": "VCID-uqk3-zhhb-qbf3" }, { "vulnerability": "VCID-yden-h68w-uuex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.1" } ], "aliases": [ "CVE-2024-6281", "GHSA-8mrm-r7h3-c3hj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-13n2-acu3-myc6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/39374?format=api", "vulnerability_id": "VCID-v3ft-w2aa-eudy", "summary": "CVE-2024-4320 describes a vulnerability in the parisneo/lollms software, specifically within the `ExtensionBuilder().build_extension()` function. The vulnerability arises from the `/mount_extension` endpoint, where a path traversal issue allows attackers to navigate beyond the intended directory structure. This is facilitated by the `data.category` and `data.folder` parameters accepting empty strings (`\"\"`), which, due to inadequate input sanitization, can lead to the construction of a `package_path` that points to the root directory. Consequently, if an attacker can create a `config.yaml` file in a controllable path, this path can be appended to the `extensions` list and trigger the execution of `__init__.py` in the current directory, leading to remote code execution. The vulnerability affects versions up to 5.9.0, and has been addressed in version 9.8.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5443", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.17468", "scoring_system": "epss", "scoring_elements": "0.95222", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.17468", "scoring_system": "epss", "scoring_elements": "0.95243", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.17468", "scoring_system": "epss", "scoring_elements": "0.95237", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.17468", "scoring_system": "epss", "scoring_elements": "0.95241", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-5443" }, { "reference_url": "https://github.com/ParisNeo/lollms", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ParisNeo/lollms" }, { "reference_url": "https://github.com/parisneo/lollms/commit/2d0c4e76be93195836ecd0948027e791b8a2626f", "reference_id": "2d0c4e76be93195836ecd0948027e791b8a2626f", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-24T14:49:54Z/" } ], "url": "https://github.com/parisneo/lollms/commit/2d0c4e76be93195836ecd0948027e791b8a2626f" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5443", "reference_id": "CVE-2024-5443", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-5443" }, { "reference_url": "https://huntr.com/bounties/db52848a-4dbe-4110-a981-03739834bf45", "reference_id": "db52848a-4dbe-4110-a981-03739834bf45", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-24T14:49:54Z/" } ], "url": "https://huntr.com/bounties/db52848a-4dbe-4110-a981-03739834bf45" }, { "reference_url": "https://github.com/advisories/GHSA-mvrm-fh8q-6wr2", "reference_id": "GHSA-mvrm-fh8q-6wr2", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mvrm-fh8q-6wr2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/32282?format=api", "purl": "pkg:pypi/lollms@9.5.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-4yfc-ecwf-x7b1" }, { "vulnerability": "VCID-ar4r-4cnr-13gc" }, { "vulnerability": "VCID-au6c-n4km-4bfz" }, { "vulnerability": "VCID-f5pj-epgg-cka3" }, { "vulnerability": "VCID-jpg6-7hr6-d7ah" }, { "vulnerability": "VCID-p99a-pyqn-cfbf" }, { "vulnerability": "VCID-qmrn-43fj-s3ac" }, { "vulnerability": "VCID-uqk3-zhhb-qbf3" }, { "vulnerability": "VCID-yden-h68w-uuex" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.1" } ], "aliases": [ "CVE-2024-5443", "GHSA-mvrm-fh8q-6wr2" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v3ft-w2aa-eudy" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.1" }