Home/Product/lollms web ui
Product

lollms web ui

67 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-1116
<= 2.1.0
A Cross-site Scripting (XSS) vulnerability was identified in the from_dict method of the AppLollmsMessage class in parisneo/lo
6.1MEDIUM
 CVE-2026-1115
<= 2.1.0
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest ve
9.6CRITICAL
 CVE-2026-1114
all versions
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of
9.8CRITICAL
 CVE-2026-0562
<= 2.1.0
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend
8.3HIGH
 CVE-2026-0560
<= 2.1.0
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/fi
7.5HIGH
 CVE-2026-0558
<= 2.1.0
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files th
9.8CRITICAL
 CVE-2026-33340
all versions
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Fo
9.1CRITICAL
 CVE-2025-1451
all versions
A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. The server
7.5HIGH
 CVE-2024-9920
all versions
In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including
8.8HIGH
 CVE-2024-9919
all versions
A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized dir
8.4HIGH
 CVE-2024-8898
all versions
A path traversal vulnerability exists in the install and uninstall API endpoints of parisneo/lollms-webui version V12 (Strawbe
9.8CRITICAL
 CVE-2024-8736
all versions
A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry)
6.5MEDIUM
 CVE-2024-8581
all versions
A vulnerability in the upload_app function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or di
9.1CRITICAL
 CVE-2024-7058
all versions
A vulnerability in the sanitize_path function in parisneo/lollms-webui v10 - latest allows an attacker to bypass path sanitization
4.4MEDIUM
 CVE-2024-6986
all versions
A Cross-site Scripting (XSS) vulnerability exists in the Settings page of parisneo/lollms-webui version 9.8. The vulnerability is
5.4MEDIUM
 CVE-2024-12766
all versions
parisneo/lollms-webui version V13 (feather) suffers from a Server-Side Request Forgery (SSRF) vulnerability in the `POST /api/prox
7.5HIGH
 CVE-2024-10047
all versions
parisneo/lollms-webui versions v9.9 to the latest are vulnerable to a directory listing vulnerability. An attacker can list arbitr
5.3MEDIUM
 CVE-2024-10019
all versions
A vulnerability in the start_app_server function of parisneo/lollms-webui V12 (Strawberry) allows for path traversal and OS comm
6.7MEDIUM
 CVE-2024-5125
all versions
parisneo/lollms-webui version 9.6 is vulnerable to Cross-Site Scripting (XSS) and Open Redirect due to inadequate input validation
7.3HIGH
 CVE-2024-6674
< 10
A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs,
7.1HIGH
 CVE-2024-6673
< 10
A Cross-Site Request Forgery (CSRF) vulnerability exists in the install_comfyui endpoint of the lollms_comfyui.py file in the
6.5MEDIUM
 CVE-2024-6581
all versions
A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG f
9.0CRITICAL
 CVE-2024-6959
all versions
A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. If
7.1HIGH
 CVE-2024-6985
< 5.9.0
A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms-webui. This vulnerability all
4.4MEDIUM
 CVE-2024-6971
all versions
A path traversal vulnerability exists in the parisneo/lollms-webui repository, specifically in the lollms_file_system.py file. T
4.4MEDIUM
 CVE-2024-6394
all versions
A Local File Inclusion vulnerability exists in parisneo/lollms-webui versions below v9.8. The vulnerability is due to unverified p
7.5HIGH
 CVE-2024-6040
all versions
In parisneo/lollms-webui version v9.8, the lollms_binding_infos is missing the client_id parameter, which leads to multiple securi
8.8HIGH
 CVE-2024-4897
< 9.8
parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-py
8.4HIGH
 CVE-2024-6250
all versions
An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the open_file endpoint of `lollms
7.5HIGH
 CVE-2024-5933
all versions
A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. This v
5.4MEDIUM
 CVE-2024-4498
all versions
A Path Traversal and Remote File Inclusion (RFI) vulnerability exists in the parisneo/lollms-webui application, affecting versions
7.7HIGH
 CVE-2024-4839
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms-webui, ve
3.3LOW
 CVE-2024-4499
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in the XTTS server of parisneo/lollms version 9.6 due to a lax CORS polic
6.3MEDIUM
 CVE-2024-3121
all versions
A remote code execution vulnerability exists in the create_conda_env function of the parisneo/lollms repository, version 5.9.0. Th
3.3LOW
 CVE-2024-4841
all versions
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function
3.3LOW
 CVE-2024-4403
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in the restart_program function of the parisneo/lollms-webui v9.6. This v
8.8HIGH
 CVE-2024-4881
< 5.9.0
A path traversal vulnerability exists in the parisneo/lollms application, affecting version 9.4.0 and potentially earlier versions
7.5HIGH
 CVE-2024-4320
all versions
A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application,
9.8CRITICAL
 CVE-2024-3429
< 9.6
A path traversal vulnerability exists in the parisneo/lollms application, specifically within the sanitize_path_from_endpoint an
9.8CRITICAL
 CVE-2024-3322
< 9.5
A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting
9.8CRITICAL
 CVE-2024-2624
< 9.4
A path traversal and arbitrary file upload vulnerability exists in the parisneo/lollms-webui application, specifically within the
9.8CRITICAL
 CVE-2024-2548
< 9.5
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the `lollms_core/lollms/server
7.5HIGH
 CVE-2024-2362
all versions
A path traversal vulnerability exists in the parisneo/lollms-webui version 9.3 on the Windows platform. Due to improper validation
9.1CRITICAL
 CVE-2024-2360
all versions
parisneo/lollms-webui is vulnerable to path traversal attacks that can lead to remote code execution due to insufficient sanitizat
9.8CRITICAL
 CVE-2024-2359
all versions
A vulnerability in the parisneo/lollms-webui version 9.3 allows attackers to bypass intended access restrictions and execute arbit
9.8CRITICAL
 CVE-2024-2288
< 9.3
A Cross-Site Request Forgery (CSRF) vulnerability exists in the profile picture upload functionality of the Lollms application, sp
8.3HIGH
 CVE-2024-1873
all versions
parisneo/lollms-webui is vulnerable to path traversal and denial of service attacks due to an exposed /select_database endpoint
9.1CRITICAL
 CVE-2024-5482
all versions
A Server-Side Request Forgery (SSRF) vulnerability exists in the 'add_webpage' endpoint of the parisneo/lollms-webui application,
9.8CRITICAL
 CVE-2024-2178
< 9.4
A path traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'copy_to_custom_personas' endpoint in
7.5HIGH
 CVE-2024-4330
>= 9.6 and < 9.8
A path traversal vulnerability was identified in the parisneo/lollms-webui repository, specifically within version 9.6. The vulner
3.3LOW
 CVE-2024-4267
all versions
A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, versi
9.8CRITICAL
 CVE-2024-4326
< 9.5
A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability s
9.8CRITICAL
 CVE-2024-4322
< 9.8
A path traversal vulnerability exists in the parisneo/lollms-webui application, specifically within the /list_personalities endp
7.5HIGH
 CVE-2024-3435
< 9.5
A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions
8.4HIGH
 CVE-2024-3126
< 9.5
A command injection vulnerability exists in the 'run_xtts_api_server' function of the parisneo/lollms-webui application, specifica
8.4HIGH
 CVE-2024-2366
< 9.5
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding f
9.0CRITICAL
 CVE-2024-2361
< 9.5
A vulnerability in the parisneo/lollms-webui allows for arbitrary file upload and read due to insufficient sanitization of user-su
9.6CRITICAL
 CVE-2024-2358
< 9.5
A path traversal vulnerability in the '/apply_settings' endpoint of parisneo/lollms-webui allows attackers to execute arbitrary co
9.8CRITICAL
 CVE-2024-2299
< 9.5
A stored Cross-Site Scripting (XSS) vulnerability exists in the parisneo/lollms-webui application due to improper validation of up
6.1MEDIUM
 CVE-2024-1646
< 9.3
parisneo/lollms-webui is vulnerable to authentication bypass due to insufficient protection over sensitive endpoints. The applicat
8.2HIGH
 CVE-2024-1601
all versions
An SQL injection vulnerability exists in the delete_discussion() function of the parisneo/lollms-webui application, allowing an
9.8CRITICAL
 CVE-2024-1569
all versions
parisneo/lollms-webui is vulnerable to a denial of service (DoS) attack due to uncontrolled resource consumption. Attackers can ex
7.5HIGH
 CVE-2024-1602
all versions
parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerabil
6.1MEDIUM
 CVE-2024-1600
>= 9.0 and < 9.6
A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalitie
9.3CRITICAL
 CVE-2024-1520
>= 9.0 and < 9.2
An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to
9.8CRITICAL
 CVE-2024-1511
all versions
The parisneo/lollms-webui repository is susceptible to a path traversal vulnerability due to inadequate validation of user-supplie
9.8CRITICAL
 CVE-2024-1522
>= 9.0 and <= 9.2
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrar
8.8HIGH
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh