Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/lollms@1.1.51

Type pypi

Namespace

Name lollms

Version 1.1.51

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version null

Latest_non_vulnerable_version null

Affected_by_vulnerabilities

url VCID-13n2-acu3-myc6

vulnerability_id VCID-13n2-acu3-myc6

summary A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6281

reference_id

reference_type

scores

value	0.0006
scoring_system	epss
scoring_elements	0.19113
published_at	2026-06-11T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.1928
published_at	2026-06-14T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.19282
published_at	2026-06-12T12:55:00Z

value	0.0006
scoring_system	epss
scoring_elements	0.19303
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6281

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61

reference_id

0a62f2fb-4e62-4128-9dc4-e8f1d959ac61

reference_type

scores

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T15:08:15Z/

url

https://huntr.com/bounties/0a62f2fb-4e62-4128-9dc4-e8f1d959ac61

reference_url

https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092

reference_id

26a3ff35acf152b49e1087d5698ad4864c7b6092

reference_type

scores

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-23T15:08:15Z/

url

https://github.com/parisneo/lollms/commit/26a3ff35acf152b49e1087d5698ad4864c7b6092

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6281

reference_id

CVE-2024-6281

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

value	7.0
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6281

reference_url

https://github.com/advisories/GHSA-8mrm-r7h3-c3hj

reference_id

GHSA-8mrm-r7h3-c3hj

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8mrm-r7h3-c3hj

fixed_packages

url pkg:pypi/lollms@9.5.1

purl pkg:pypi/lollms@9.5.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.1

aliases CVE-2024-6281, GHSA-8mrm-r7h3-c3hj

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-13n2-acu3-myc6

url VCID-1mgm-xwcq-mbdj

vulnerability_id VCID-1mgm-xwcq-mbdj

summary A path traversal vulnerability exists in the parisneo/lollms application, specifically within the `sanitize_path_from_endpoint` and `sanitize_path` functions in `lollms_core\lollms\security.py`. This vulnerability allows for arbitrary file reading when the application is running on Windows. The issue arises due to insufficient sanitization of user-supplied input, enabling attackers to bypass the path traversal protection mechanisms by crafting malicious input. Successful exploitation could lead to unauthorized access to sensitive files, information disclosure, and potentially a denial of service (DoS) condition by including numerous large or resource-intensive files. This vulnerability affects the latest version prior to 9.6.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-3429

reference_id

reference_type

scores

value	0.00398
scoring_system	epss
scoring_elements	0.61049
published_at	2026-06-11T12:55:00Z

value	0.00398
scoring_system	epss
scoring_elements	0.61162
published_at	2026-06-14T12:55:00Z

value	0.00398
scoring_system	epss
scoring_elements	0.61155
published_at	2026-06-12T12:55:00Z

value	0.00398
scoring_system	epss
scoring_elements	0.61164
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-3429

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-3429

reference_id

CVE-2024-3429

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-3429

reference_url

https://github.com/parisneo/lollms/commit/f4424cfc3d6dfb3ad5ac17dd46801efe784933e9

reference_id

f4424cfc3d6dfb3ad5ac17dd46801efe784933e9

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-10T18:17:14Z/

url

https://github.com/parisneo/lollms/commit/f4424cfc3d6dfb3ad5ac17dd46801efe784933e9

reference_url

https://huntr.com/bounties/fd8f50c8-17f0-40be-a2c6-bb8d80f7c409

reference_id

fd8f50c8-17f0-40be-a2c6-bb8d80f7c409

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-10T18:17:14Z/

url

https://huntr.com/bounties/fd8f50c8-17f0-40be-a2c6-bb8d80f7c409

reference_url

https://github.com/advisories/GHSA-3x47-w4rx-6pm7

reference_id

GHSA-3x47-w4rx-6pm7

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3x47-w4rx-6pm7

fixed_packages

url pkg:pypi/lollms@9.5.0

purl pkg:pypi/lollms@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.0

aliases CVE-2024-3429, GHSA-3x47-w4rx-6pm7

risk_score 4.4

exploitability 0.5

weighted_severity 8.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1mgm-xwcq-mbdj

url

VCID-4yfc-ecwf-x7b1

vulnerability_id

VCID-4yfc-ecwf-x7b1

summary

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1163

reference_id

reference_type

scores

value	0.00015
scoring_system	epss
scoring_elements	0.03181
published_at	2026-06-14T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.03173
published_at	2026-06-11T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.03168
published_at	2026-06-13T12:55:00Z

value	0.00015
scoring_system	epss
scoring_elements	0.03185
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1163

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1163

reference_id

reference_type

scores

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1163

reference_url

https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b

reference_id

abe2d1c4-c21c-4608-8a8e-274565246a8b

reference_type

scores

value	4.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

value	4.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-08T15:58:28Z/

url

https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b

reference_url

https://github.com/advisories/GHSA-8jg2-726g-xh43

reference_id

GHSA-8jg2-726g-xh43

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8jg2-726g-xh43

fixed_packages

aliases

CVE-2026-1163, GHSA-8jg2-726g-xh43

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-4yfc-ecwf-x7b1

url VCID-ae89-xu83-3bf9

vulnerability_id VCID-ae89-xu83-3bf9

summary A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1115

reference_id

reference_type

scores

value	0.00068
scoring_system	epss
scoring_elements	0.21096
published_at	2026-06-11T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.2127
published_at	2026-06-14T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21277
published_at	2026-06-12T12:55:00Z

value	0.00068
scoring_system	epss
scoring_elements	0.21291
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1115

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1115

reference_id

reference_type

scores

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1115

reference_url

https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa

reference_id

099aa4fe-7165-4337-889c-3fb4f1aa71aa

reference_type

scores

value	9.6
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T13:01:40Z/

url

https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa

reference_url

https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a

reference_id

9767b882dbc893c388a286856beeaead69b8292a

reference_type

scores

value	9.6
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	9.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-10T13:01:40Z/

url

https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a

reference_url

https://github.com/advisories/GHSA-8wrq-fv5f-pfp2

reference_id

GHSA-8wrq-fv5f-pfp2

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-8wrq-fv5f-pfp2

fixed_packages

url pkg:pypi/lollms@2.2.0

purl pkg:pypi/lollms@2.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-1mgm-xwcq-mbdj

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-hura-5vfk-eybr

vulnerability	VCID-ja98-64k4-bbav

vulnerability	VCID-jf45-k4kd-sben

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-pym8-g7zr-4udh

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@2.2.0

aliases CVE-2026-1115, GHSA-8wrq-fv5f-pfp2

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ae89-xu83-3bf9

url

VCID-ar4r-4cnr-13gc

vulnerability_id

VCID-ar4r-4cnr-13gc

summary

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6581

reference_id

reference_type

scores

value	0.01646
scoring_system	epss
scoring_elements	0.82456
published_at	2026-06-14T12:55:00Z

value	0.01646
scoring_system	epss
scoring_elements	0.82452
published_at	2026-06-12T12:55:00Z

value	0.01646
scoring_system	epss
scoring_elements	0.82461
published_at	2026-06-13T12:55:00Z

value	0.01646
scoring_system	epss
scoring_elements	0.8239
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6581

reference_url

https://github.com/advisories/GHSA-cm59-8rmv-f2cj

reference_id

reference_type

scores

value	9.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cm59-8rmv-f2cj

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/lollms/PYSEC-2024-116.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/lollms/PYSEC-2024-116.yaml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6581

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6581

reference_url

https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd

reference_id

328b960a0de2097e13654ac752253e9541521ddd

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	9.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:17:31Z/

url

https://github.com/parisneo/lollms/commit/328b960a0de2097e13654ac752253e9541521ddd

reference_url

https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7

reference_id

ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

value	9.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

value	5.1
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-29T13:17:31Z/

url

https://huntr.com/bounties/ad68ecd6-44e2-449b-8e7e-f2b71b1b43c7

fixed_packages

aliases

CVE-2024-6581, GHSA-cm59-8rmv-f2cj, PYSEC-2024-116

risk_score

4.0

exploitability

0.5

weighted_severity

8.1

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-ar4r-4cnr-13gc

url

VCID-au6c-n4km-4bfz

vulnerability_id

VCID-au6c-n4km-4bfz

summary

A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6139

reference_id

reference_type

scores

value	0.00121
scoring_system	epss
scoring_elements	0.30906
published_at	2026-06-12T12:55:00Z

value	0.00121
scoring_system	epss
scoring_elements	0.30907
published_at	2026-06-14T12:55:00Z

value	0.00121
scoring_system	epss
scoring_elements	0.30709
published_at	2026-06-11T12:55:00Z

value	0.00121
scoring_system	epss
scoring_elements	0.30923
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6139

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6139

reference_id

CVE-2024-6139

reference_type

scores

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6139

reference_url

https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0

reference_id

fd00f112-efd0-40a1-8227-d6733716e4c0

reference_type

scores

value	7.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	7.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-27T20:06:46Z/

url

https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0

reference_url

https://github.com/advisories/GHSA-w9qf-83jg-2x6c

reference_id

GHSA-w9qf-83jg-2x6c

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w9qf-83jg-2x6c

fixed_packages

aliases

CVE-2024-6139, GHSA-w9qf-83jg-2x6c

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-au6c-n4km-4bfz

url VCID-ek5s-9xdc-wbch

vulnerability_id VCID-ek5s-9xdc-wbch

summary A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client's actions to affect the server's state and other clients' operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-1117

reference_id

reference_type

scores

value	0.00125
scoring_system	epss
scoring_elements	0.31331
published_at	2026-06-11T12:55:00Z

value	0.00125
scoring_system	epss
scoring_elements	0.31524
published_at	2026-06-14T12:55:00Z

value	0.00125
scoring_system	epss
scoring_elements	0.31523
published_at	2026-06-12T12:55:00Z

value	0.00125
scoring_system	epss
scoring_elements	0.31542
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-1117

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b

reference_id

36a5b513dfefe9c2913bf9b618457b4fea603e3b

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:49:35Z/

url

https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-1117

reference_id

CVE-2026-1117

reference_type

scores

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-1117

reference_url

https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829

reference_id

d2846a7f-0140-4105-b1bb-5ef64ec8b829

reference_type

scores

value	8.2
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

value	8.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-02T17:49:35Z/

url

https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829

reference_url

https://github.com/advisories/GHSA-82fw-ch24-j34w

reference_id

GHSA-82fw-ch24-j34w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-82fw-ch24-j34w

fixed_packages

url pkg:pypi/lollms@2.1.0

purl pkg:pypi/lollms@2.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-1mgm-xwcq-mbdj

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ae89-xu83-3bf9

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-hura-5vfk-eybr

vulnerability	VCID-ja98-64k4-bbav

vulnerability	VCID-jf45-k4kd-sben

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-pym8-g7zr-4udh

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-xm2h-tpp8-3kb4

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@2.1.0

aliases CVE-2026-1117, GHSA-82fw-ch24-j34w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ek5s-9xdc-wbch

url

VCID-f5pj-epgg-cka3

vulnerability_id

VCID-f5pj-epgg-cka3

summary

The parisneo/lollms repository is affected by a timing attack vulnerability in the `authenticate_user` function within the `lollms_authentication.py` file. This vulnerability allows attackers to enumerate valid usernames and guess passwords incrementally by analyzing response time differences. The affected version is the latest, and the issue is resolved in version 20.1. The vulnerability arises from the use of Python's default string equality operator for password comparison, which compares characters sequentially and exits on the first mismatch, leading to variable response times based on the number of matching initial characters.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-6386

reference_id

reference_type

scores

value	0.0026
scoring_system	epss
scoring_elements	0.49803
published_at	2026-06-12T12:55:00Z

value	0.0026
scoring_system	epss
scoring_elements	0.49809
published_at	2026-06-14T12:55:00Z

value	0.0026
scoring_system	epss
scoring_elements	0.49666
published_at	2026-06-11T12:55:00Z

value	0.0026
scoring_system	epss
scoring_elements	0.49821
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-6386

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-6386

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-6386

reference_url

https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67

reference_id

6da05485-d219-4f18-9ffc-991053524b67

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:22:38Z/

url

https://huntr.com/bounties/6da05485-d219-4f18-9ffc-991053524b67

reference_url

https://github.com/parisneo/lollms/commit/f78437f7b5aa39a78c6201912faf4e0645a38c48

reference_id

f78437f7b5aa39a78c6201912faf4e0645a38c48

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-07-07T14:22:38Z/

url

https://github.com/parisneo/lollms/commit/f78437f7b5aa39a78c6201912faf4e0645a38c48

reference_url

https://github.com/advisories/GHSA-j5pr-vrjj-9v4h

reference_id

GHSA-j5pr-vrjj-9v4h

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j5pr-vrjj-9v4h

fixed_packages

aliases

CVE-2025-6386, GHSA-j5pr-vrjj-9v4h

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-f5pj-epgg-cka3

url VCID-hura-5vfk-eybr

vulnerability_id VCID-hura-5vfk-eybr

summary parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including `personalities` and `/del_preset`, to read or delete any file on the Windows filesystem, compromising the system's availability.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-4315

reference_id

reference_type

scores

value	0.00899
scoring_system	epss
scoring_elements	0.7611
published_at	2026-06-11T12:55:00Z

value	0.00899
scoring_system	epss
scoring_elements	0.76189
published_at	2026-06-14T12:55:00Z

value	0.00899
scoring_system	epss
scoring_elements	0.76182
published_at	2026-06-12T12:55:00Z

value	0.00899
scoring_system	epss
scoring_elements	0.76195
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-4315

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://huntr.com/bounties/8a1b0197-2c36-4276-b92b-630a2a9bb09c

reference_id

8a1b0197-2c36-4276-b92b-630a2a9bb09c

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T14:27:21Z/

url

https://huntr.com/bounties/8a1b0197-2c36-4276-b92b-630a2a9bb09c

reference_url

https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

reference_id

95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

reference_type

scores

value	9.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-26T14:27:21Z/

url

https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-4315

reference_id

CVE-2024-4315

reference_type

scores

value	9.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-4315

reference_url

https://github.com/advisories/GHSA-vqwr-q6cc-c242

reference_id

GHSA-vqwr-q6cc-c242

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-vqwr-q6cc-c242

fixed_packages

url pkg:pypi/lollms@9.5.0

purl pkg:pypi/lollms@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.0

aliases CVE-2024-4315, GHSA-vqwr-q6cc-c242

risk_score 4.5

exploitability 0.5

weighted_severity 9.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hura-5vfk-eybr

url VCID-ja98-64k4-bbav

vulnerability_id VCID-ja98-64k4-bbav

summary A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-5824

reference_id

reference_type

scores

value	0.01395
scoring_system	epss
scoring_elements	0.80807
published_at	2026-06-11T12:55:00Z

value	0.01395
scoring_system	epss
scoring_elements	0.8087
published_at	2026-06-14T12:55:00Z

value	0.01395
scoring_system	epss
scoring_elements	0.80867
published_at	2026-06-12T12:55:00Z

value	0.01395
scoring_system	epss
scoring_elements	0.80878
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-5824

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://huntr.com/bounties/9ceb7cf9-a7cd-4699-b3f8-d0999d2b49fd

reference_id

9ceb7cf9-a7cd-4699-b3f8-d0999d2b49fd

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-28T15:07:58Z/

url

https://huntr.com/bounties/9ceb7cf9-a7cd-4699-b3f8-d0999d2b49fd

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-5824

reference_id

CVE-2024-5824

reference_type

scores

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-5824

reference_url

https://github.com/parisneo/lollms/commit/eda3af5f5c4ea9b2f3569f72f8d05989e29367fc

reference_id

eda3af5f5c4ea9b2f3569f72f8d05989e29367fc

reference_type

scores

value	7.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	7.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-06-28T15:07:58Z/

url

https://github.com/parisneo/lollms/commit/eda3af5f5c4ea9b2f3569f72f8d05989e29367fc

reference_url

https://github.com/advisories/GHSA-m45c-v46h-c788

reference_id

GHSA-m45c-v46h-c788

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-m45c-v46h-c788

fixed_packages

url pkg:pypi/lollms@9.5.0

purl pkg:pypi/lollms@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.0

aliases CVE-2024-5824, GHSA-m45c-v46h-c788

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ja98-64k4-bbav

url VCID-jf45-k4kd-sben

vulnerability_id VCID-jf45-k4kd-sben

summary A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\windows\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-4881

reference_id

reference_type

scores

value	0.00212
scoring_system	epss
scoring_elements	0.43971
published_at	2026-06-12T12:55:00Z

value	0.00212
scoring_system	epss
scoring_elements	0.43979
published_at	2026-06-14T12:55:00Z

value	0.00212
scoring_system	epss
scoring_elements	0.43991
published_at	2026-06-13T12:55:00Z

value	0.00212
scoring_system	epss
scoring_elements	0.43816
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-4881

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://huntr.com/bounties/94f7f901-80b0-4cf5-b545-ac5c1e7635e9

reference_id

94f7f901-80b0-4cf5-b545-ac5c1e7635e9

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-06T20:00:38Z/

url

https://huntr.com/bounties/94f7f901-80b0-4cf5-b545-ac5c1e7635e9

reference_url

https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

reference_id

95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-06-06T20:00:38Z/

url

https://github.com/parisneo/lollms/commit/95ad36eeffc6a6be3e3f35ed35a384d768f0ecf6

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-4881

reference_id

CVE-2024-4881

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	7.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-4881

reference_url

https://github.com/advisories/GHSA-p8h7-c8gw-6x8c

reference_id

GHSA-p8h7-c8gw-6x8c

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p8h7-c8gw-6x8c

fixed_packages

url pkg:pypi/lollms@5.9.0

purl pkg:pypi/lollms@5.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-1mgm-xwcq-mbdj

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-hura-5vfk-eybr

vulnerability	VCID-ja98-64k4-bbav

vulnerability	VCID-jf45-k4kd-sben

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-pym8-g7zr-4udh

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@5.9.0

url pkg:pypi/lollms@9.5.0

purl pkg:pypi/lollms@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.0

aliases CVE-2024-4881, GHSA-p8h7-c8gw-6x8c, PYSEC-2024-108

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-jf45-k4kd-sben

url

VCID-jpg6-7hr6-d7ah

vulnerability_id

VCID-jpg6-7hr6-d7ah

summary

A path traversal vulnerability exists in the XTTS server included in the lollms package, version v9.6. This vulnerability arises from the ability to perform an unauthenticated root folder settings change. Although the read file endpoint is protected against path traversals, this protection can be bypassed by changing the root folder to '/'. This allows attackers to read arbitrary files on the system. Additionally, the output folders can be changed to write arbitrary audio files to any location on the system.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6085

reference_id

reference_type

scores

value	0.00134
scoring_system	epss
scoring_elements	0.33067
published_at	2026-06-11T12:55:00Z

value	0.00134
scoring_system	epss
scoring_elements	0.33245
published_at	2026-06-14T12:55:00Z

value	0.00134
scoring_system	epss
scoring_elements	0.33268
published_at	2026-06-13T12:55:00Z

value	0.00134
scoring_system	epss
scoring_elements	0.33248
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6085

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6085

reference_id

CVE-2024-6085

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6085

reference_url

https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe

reference_id

d2fb73d7-4b4f-451a-8763-484c189a27fe

reference_type

scores

value	8.6
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-07-05T14:03:35Z/

url

https://huntr.com/bounties/d2fb73d7-4b4f-451a-8763-484c189a27fe

reference_url

https://github.com/advisories/GHSA-9chm-m6x2-6fvc

reference_id

GHSA-9chm-m6x2-6fvc

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-9chm-m6x2-6fvc

fixed_packages

aliases

CVE-2024-6085, GHSA-9chm-m6x2-6fvc

risk_score

4.0

exploitability

0.5

weighted_severity

8.0

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-jpg6-7hr6-d7ah

url

VCID-p99a-pyqn-cfbf

vulnerability_id

VCID-p99a-pyqn-cfbf

summary

A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the `lollms_file_system.py` file. The functions `add_rag_database`, `toggle_mount_rag_database`, and `vectorize_folder` do not implement security measures such as `sanitize_path_from_endpoint` or `sanitize_path`. This allows an attacker to perform vectorize operations on `.sqlite` files in any directory on the victim's computer, potentially installing multiple packages and causing a crash.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6971

reference_id

reference_type

scores

value	0.00027
scoring_system	epss
scoring_elements	0.08249
published_at	2026-06-12T12:55:00Z

value	0.00027
scoring_system	epss
scoring_elements	0.08244
published_at	2026-06-14T12:55:00Z

value	0.00027
scoring_system	epss
scoring_elements	0.08213
published_at	2026-06-11T12:55:00Z

value	0.00027
scoring_system	epss
scoring_elements	0.08245
published_at	2026-06-13T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6971

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://github.com/ParisNeo/lollms/commit/aeace796d861e922133b769710019608a6363264

reference_id

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms/commit/aeace796d861e922133b769710019608a6363264

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6971

reference_id

CVE-2024-6971

reference_type

scores

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6971

reference_url

https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e

reference_id

fbfe7cd0-99fb-4305-bd07-8b573364109e

reference_type

scores

value	3.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

value	3.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L

value	1.8
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T14:31:13Z/

url

https://huntr.com/bounties/fbfe7cd0-99fb-4305-bd07-8b573364109e

reference_url

https://github.com/advisories/GHSA-7pgr-32fx-c6x9

reference_id

GHSA-7pgr-32fx-c6x9

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-7pgr-32fx-c6x9

fixed_packages

aliases

CVE-2024-6971, GHSA-7pgr-32fx-c6x9

risk_score

1.6

exploitability

0.5

weighted_severity

3.1

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-p99a-pyqn-cfbf

url VCID-pym8-g7zr-4udh

vulnerability_id VCID-pym8-g7zr-4udh

summary A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-4078

reference_id

reference_type

scores

value	0.09758
scoring_system	epss
scoring_elements	0.93146
published_at	2026-06-14T12:55:00Z

value	0.09758
scoring_system	epss
scoring_elements	0.93122
published_at	2026-06-11T12:55:00Z

value	0.09758
scoring_system	epss
scoring_elements	0.93145
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-4078

reference_url

https://github.com/parisneo/lollms

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/parisneo/lollms

reference_url

https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f

reference_id

7ebe08da7e0026b155af4f7be1d6417bc64cf02f

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-16T14:55:26Z/

url

https://github.com/parisneo/lollms/commit/7ebe08da7e0026b155af4f7be1d6417bc64cf02f

reference_url

https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d

reference_id

a55a8c04-df44-49b2-bcfa-2a2b728a299d

reference_type

scores

value	9.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-05-16T14:55:26Z/

url

https://huntr.com/bounties/a55a8c04-df44-49b2-bcfa-2a2b728a299d

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-4078

reference_id

CVE-2024-4078

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-4078

reference_url

https://github.com/advisories/GHSA-pwc9-q4hj-pg8g

reference_id

GHSA-pwc9-q4hj-pg8g

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-pwc9-q4hj-pg8g

fixed_packages

url pkg:pypi/lollms@9.5.0

purl pkg:pypi/lollms@9.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@9.5.0

aliases CVE-2024-4078, GHSA-pwc9-q4hj-pg8g

risk_score 4.4

exploitability 0.5

weighted_severity 8.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-pym8-g7zr-4udh

url VCID-qmrn-43fj-s3ac

vulnerability_id VCID-qmrn-43fj-s3ac

summary A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6985

reference_id

reference_type

scores

value	0.00053
scoring_system	epss
scoring_elements	0.17224
published_at	2026-06-13T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.17053
published_at	2026-06-11T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.17212
published_at	2026-06-12T12:55:00Z

value	0.00053
scoring_system	epss
scoring_elements	0.17198
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6985

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620

reference_id

28ee567a9a120967215ff19b96ab7515ce469620

reference_type

scores

value	4.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T16:13:21Z/

url

https://github.com/parisneo/lollms/commit/28ee567a9a120967215ff19b96ab7515ce469620

reference_url

https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a

reference_id

79c11579-47d8-4e68-8466-b47c3bf5ef6a

reference_type

scores

value	4.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-11T16:13:21Z/

url

https://huntr.com/bounties/79c11579-47d8-4e68-8466-b47c3bf5ef6a

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6985

reference_id

CVE-2024-6985

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6985

reference_url

https://github.com/advisories/GHSA-6h64-g7cj-hj56

reference_id

GHSA-6h64-g7cj-hj56

reference_type

scores

value	4.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6h64-g7cj-hj56

fixed_packages

url pkg:pypi/lollms@5.9.0

purl pkg:pypi/lollms@5.9.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-1mgm-xwcq-mbdj

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-hura-5vfk-eybr

vulnerability	VCID-ja98-64k4-bbav

vulnerability	VCID-jf45-k4kd-sben

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-pym8-g7zr-4udh

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-v3ft-w2aa-eudy

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@5.9.0

aliases CVE-2024-6985, GHSA-6h64-g7cj-hj56, PYSEC-2024-122

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qmrn-43fj-s3ac

url VCID-uqk3-zhhb-qbf3

vulnerability_id VCID-uqk3-zhhb-qbf3

summary A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python's `eval()` function to evaluate mathematical expressions within a Python sandbox that disables `__builtins__` and only allows functions from the `math` module. This sandbox can be bypassed by loading the `os` module using the `_frozen_importlib.BuiltinImporter` class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6982

reference_id

reference_type

scores

value	0.0014
scoring_system	epss
scoring_elements	0.34063
published_at	2026-06-13T12:55:00Z

value	0.0014
scoring_system	epss
scoring_elements	0.33865
published_at	2026-06-11T12:55:00Z

value	0.0014
scoring_system	epss
scoring_elements	0.34042
published_at	2026-06-14T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6982

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6982

reference_id

reference_type

scores

value	8.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6982

reference_url

https://github.com/parisneo/lollms/commit/30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832

reference_id

30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832

reference_type

scores

value	8.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:49:52Z/

url

https://github.com/parisneo/lollms/commit/30e7eaba2ccfb751a81e7cb29fdef2ae8ffa6832

reference_url

https://huntr.com/bounties/4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea

reference_id

4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea

reference_type

scores

value	8.4
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	8.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-03-20T17:49:52Z/

url

https://huntr.com/bounties/4f8e73ac-aaaf-4d5c-a6dd-58215b5a7fea

reference_url

https://github.com/advisories/GHSA-jccx-m9v4-9hwh

reference_id

GHSA-jccx-m9v4-9hwh

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-jccx-m9v4-9hwh

fixed_packages

url pkg:pypi/lollms@11.0.0

purl pkg:pypi/lollms@11.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-f5pj-epgg-cka3

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@11.0.0

aliases CVE-2024-6982, GHSA-jccx-m9v4-9hwh

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-uqk3-zhhb-qbf3

url VCID-xm2h-tpp8-3kb4

vulnerability_id VCID-xm2h-tpp8-3kb4

summary A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The `respond_request()` function in `backend/routers/friends.py` does not implement proper authorization checks, enabling Insecure Direct Object Reference (IDOR) attacks. Specifically, the `/api/friends/requests/{friendship_id}` endpoint fails to verify whether the authenticated user is part of the friendship or the intended recipient of the request. This vulnerability can lead to unauthorized access, privacy violations, and potential social engineering attacks. The issue has been addressed in version 2.2.0.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-0562

reference_id

reference_type

scores

value	0.0005
scoring_system	epss
scoring_elements	0.16097
published_at	2026-06-12T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.16073
published_at	2026-06-14T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.16107
published_at	2026-06-13T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.15957
published_at	2026-06-11T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-0562

reference_url

https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/

reference_id

reference_type

scores

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

url

https://aydinnyunus.github.io/2026/04/18/idor-lollms-friend-request-cve-2026-0562/

reference_url

https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf

reference_id

6aab01ca-a138-4a1d-bef9-3bce145359bf

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:34:27Z/

url

https://huntr.com/bounties/6aab01ca-a138-4a1d-bef9-3bce145359bf

reference_url

https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c

reference_id

c46297799f8e1e23305373f8350746b905e0e83c

reference_type

scores

value	8.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	8.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-03-30T15:34:27Z/

url

https://github.com/parisneo/lollms/commit/c46297799f8e1e23305373f8350746b905e0e83c

fixed_packages

url pkg:pypi/lollms@2.1.1

purl pkg:pypi/lollms@2.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-13n2-acu3-myc6

vulnerability	VCID-1mgm-xwcq-mbdj

vulnerability	VCID-4yfc-ecwf-x7b1

vulnerability	VCID-ae89-xu83-3bf9

vulnerability	VCID-ar4r-4cnr-13gc

vulnerability	VCID-au6c-n4km-4bfz

vulnerability	VCID-f5pj-epgg-cka3

vulnerability	VCID-hura-5vfk-eybr

vulnerability	VCID-ja98-64k4-bbav

vulnerability	VCID-jf45-k4kd-sben

vulnerability	VCID-jpg6-7hr6-d7ah

vulnerability	VCID-p99a-pyqn-cfbf

vulnerability	VCID-pym8-g7zr-4udh

vulnerability	VCID-qmrn-43fj-s3ac

vulnerability	VCID-uqk3-zhhb-qbf3

vulnerability	VCID-yden-h68w-uuex

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@2.1.1

aliases CVE-2026-0562, PYSEC-2026-204

risk_score 3.8

exploitability 0.5

weighted_severity 7.5

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xm2h-tpp8-3kb4

url

VCID-yden-h68w-uuex

vulnerability_id

VCID-yden-h68w-uuex

summary

A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. The vulnerability arises from the use of shell=True in the subprocess.Popen function, which allows an attacker to inject arbitrary commands by manipulating the env_name and python_version parameters. This issue could lead to a serious security breach as demonstrated by the ability to execute the 'whoami' command among potentially other harmful commands.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-3121

reference_id

reference_type

scores

value	0.0015
scoring_system	epss
scoring_elements	0.35309
published_at	2026-06-11T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35494
published_at	2026-06-14T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.3551
published_at	2026-06-13T12:55:00Z

value	0.0015
scoring_system	epss
scoring_elements	0.35488
published_at	2026-06-12T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-3121

reference_url

https://github.com/ParisNeo/lollms

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/ParisNeo/lollms

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-3121

reference_id

CVE-2024-3121

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-3121

reference_url

https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b

reference_id

db57c343-9b80-4c1c-9ab0-9eef92c9b27b

reference_type

scores

value	6.8
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2024-06-26T19:04:19Z/

url

https://huntr.com/bounties/db57c343-9b80-4c1c-9ab0-9eef92c9b27b

reference_url

https://github.com/advisories/GHSA-79h8-gxhq-q3jg

reference_id

GHSA-79h8-gxhq-q3jg

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-79h8-gxhq-q3jg

fixed_packages

aliases

CVE-2024-3121, GHSA-79h8-gxhq-q3jg

risk_score

3.1

exploitability

0.5

weighted_severity

6.2

resource_url

http://public2.vulnerablecode.io/vulnerabilities/VCID-yden-h68w-uuex

Fixing_vulnerabilities

Risk_score 4.5

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/lollms@1.1.51

Package Instance