Arbitrary file upload in Lollms Lollms_web_ui
CVE-2024-9920
In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. Attackers can exploit this by uploading files with…
Vulnerability class: Unrestricted File Upload
EPSS: 0.012 (65.6th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.8 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.
Affected products
- Lollms Lollms_web_ui — versions 12
- Parisneo Parisneo/lollms-webui — versions unspecified
Weakness classification (CWE)
References
- security@huntr.dev (Exploit, Third Party Advisory)
Frequently asked questions
- What is CVE-2024-9920?
- CVE-2024-9920 is a high-severity vulnerability in Lollms Lollms_web_ui, classified under Unrestricted Upload of File with Dangerous Type. CVSS score: 8.8/10. Published 2025-03-20.
- How severe is CVE-2024-9920?
- High severity. CVSS v3 base score is 8.8 out of 10.