Path Traversal Vulnerability in parisneo/lollms-webui
CVE-2024-8581

9.1CRITICAL

Key Information:

Vendor
Parisneo
Status
Parisneo/lollms-webui
Vendor
CVE Published:
20 March 2025

Summary

A security flaw exists in the upload_app function of parisneo/lollms-webui version 12 (Strawberry) that permits unauthorized file or directory deletion on the server. The lack of proper filtering for user input related to the filename leads to a path traversal vulnerability, allowing attackers to manipulate file paths and execute malicious commands, resulting in potential data loss or disruption.

Affected Version(s)

parisneo/lollms-webui < unspecified

References

https://huntr.com/bounties/67ead5b9-8149-4001-a1cd-ac648c...
https://github.com/parisneo/lollms-webui/commit/dcc078cbe...

CVSS V3.0

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2024-8581 : Path Traversal Vulnerability in parisneo/lollms-webui | SecurityVulnerability.io