Lollms Lollms_web_ui
46 CVEs affecting Lollms Lollms_web_ui. Latest disclosed: 2026-03-24. Critical: 18, High: 18.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-8898 | Critical | 9.8 | 2025-03-20 | A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allo… |
CVE-2024-4320 | Critical | 9.8 | 2024-06-06 | A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@rou… |
CVE-2024-3322 | Critical | 9.8 | 2024-06-06 | A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. The vuln… |
CVE-2024-2624 | Critical | 9.8 | 2024-06-06 | A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the `@router.get("/switch_persona… |
CVE-2024-2360 | Critical | 9.8 | 2024-06-06 | parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitization of user-supplied input in… |
CVE-2024-2359 | Critical | 9.8 | 2024-06-06 | A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbitrary code. The issue arises f… |
CVE-2024-5482 | Critical | 9.8 | 2024-06-06 | A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application, affecting the latest version… |
CVE-2024-4326 | Critical | 9.8 | 2024-05-16 | A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protec… |
CVE-2024-2358 | Critical | 9.8 | 2024-05-16 | A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary code. The vulnerability arises… |
CVE-2024-1520 | Critical | 9.8 | 2024-04-10 | An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-s… |
CVE-2024-1511 | Critical | 9.8 | 2024-04-10 | The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplied file paths. This flaw allow… |
CVE-2024-2361 | Critical | 9.6 | 2024-05-16 | A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-supplied input. Specifically, t… |
CVE-2024-1600 | Critical | 9.3 | 2024-04-10 | A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exp… |
CVE-2026-33340 | Critical | 9.1 | 2026-03-24 | LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability ha… |
CVE-2024-8581 | Critical | 9.1 | 2025-03-20 | A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The fu… |
CVE-2024-2362 | Critical | 9.1 | 2024-06-06 | A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation of file paths between Window… |
CVE-2024-1873 | Critical | 9.1 | 2024-06-06 | parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed `/select_database` endpoint in version a9d16b0. The endpo… |
CVE-2024-2366 | Critical | 9.0 | 2024-05-16 | A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/l… |
CVE-2024-9920 | High | 8.8 | 2025-03-20 | In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones li… |
CVE-2024-6040 | High | 8.8 | 2024-08-01 | In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple security vulnerabilities. Specifica… |