CRITICAL🇵🇱 Wersja polska

CVE-2024-4326

CVSS 9.8v3.0pub. 2024-05-16upd. 2025-07-09

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the `/apply_settings` and `/execute_code` endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the `/apply_settings` endpoint. Subsequently, arbitrary commands can be executed remotely via the `/execute_code` endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.

🤖 AI Analysis
How it works

An attacker can bypass protective mechanisms by setting the host value to localhost in a request to the `/apply_settings` endpoint, which allows code execution to be enabled while code validation is disabled simultaneously. Then, exploiting the delay in enforcing new settings, the attacker sends a request to the `/execute_code` endpoint with arbitrary commands to execute. As a result, remote execution of arbitrary system commands is possible without requiring any permissions.

Impact

An attacker can gain full control over the system running the application — including access to sensitive data, ability to modify the system and destabilize it (violation of confidentiality, integrity, and availability).

Mitigation & patch

Update lollms-webui to version 9.5 or newer, in which the vulnerability has been fixed. The patch is available in the vendor's GitHub repository (commit abb4c6d495a95a3ef5b114ffc57f85cd650b905e).

Who is affected

parisneo/lollms-webui in versions up to and including 9.3

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Lollms Web Ui

    APP
    Lollms
    < 9.5
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCE
CWE
References

Related vulnerabilities

CVE-2026-33340CRITICAL9.1PL ✓ten sam produkt

SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów

CVE-2024-8898CRITICAL9.8PL ✓ten sam produkt

Path traversal w API install/uninstall lollms-webui V12 (Strawberry)

CVE-2024-8581CRITICAL9.1PL ✓ten sam produkt

Path Traversal w lollms-webui umożliwia usunięcie dowolnego pliku

CVE-2024-1873CRITICAL9.1PL ✓ten sam produkt

Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui

CVE-2024-2359CRITICAL9.8PL ✓ten sam produkt

Command Injection w lollms-webui — obejście zabezpieczeń i RCE