VulnerableCode Package Details - pkg:pypi/lollms@2.2.4

Search for packages

Vulnerability	Summary	Fixed by
VCID-e3ss-pxxn-13ej Aliases: CVE-2024-4881 GHSA-p8h7-c8gw-6x8c PYSEC-2024-108	A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\windows\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.	5.9.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} 9.5.0 Affected by 0 other vulnerabilities.
VCID-ynq9-29u2-2uce Aliases: CVE-2024-6985 GHSA-6h64-g7cj-hj56 PYSEC-2024-122	A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.	5.9.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-e3ss-pxxn-13ej
Aliases:
CVE-2024-4881
GHSA-p8h7-c8gw-6x8c
PYSEC-2024-108

A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions, but fixed in version 5.9.0. The vulnerability arises due to improper validation of file paths between Windows and Linux environments, allowing attackers to traverse beyond the intended directory and read any file on the Windows system. Specifically, the application fails to adequately sanitize file paths containing backslashes (`\`), which can be exploited to access the root directory and read, or even delete, sensitive files. This issue was discovered in the context of the `/user_infos` endpoint, where a crafted request using backslashes to reference a file (e.g., `\windows\win.ini`) could result in unauthorized file access. The impact of this vulnerability includes the potential for attackers to access sensitive information such as environment variables, database files, and configuration files, which could lead to further compromise of the system.

5.9.0
Affected by 1 other vulnerability.

9.5.0
Affected by 0 other vulnerabilities.

VCID-ynq9-29u2-2uce
Aliases:
CVE-2024-6985
GHSA-6h64-g7cj-hj56
PYSEC-2024-122

A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

5.9.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-05-31T09:46:38.480674+00:00	PyPI Importer	Affected by	VCID-ynq9-29u2-2uce	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-31T09:46:11.350454+00:00	PyPI Importer	Affected by	VCID-e3ss-pxxn-13ej	https://osv-vulnerabilities.storage.googleapis.com/PyPI/all.zip	38.6.0
2026-05-30T20:35:39.012639+00:00	Pypa Importer	Affected by	VCID-ynq9-29u2-2uce	https://github.com/pypa/advisory-database/blob/main/vulns/lollms/PYSEC-2024-122.yaml	38.6.0
2026-05-30T20:34:39.911660+00:00	Pypa Importer	Affected by	VCID-e3ss-pxxn-13ej	https://github.com/pypa/advisory-database/blob/main/vulns/lollms/PYSEC-2024-108.yaml	38.6.0