A vulnerability in the `upload_app` function of parisneo/lollms-webui V12 (Strawberry) allows an attacker to delete any file or directory on the system. The function does not implement user input filtering with the `filename` value, causing a Path Traversal error.
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:HLollms Web Ui
APPLollms12
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path Traversal
CWE
Related vulnerabilities
CVE-2026-33340CRITICAL9.1PL ✓ten sam produkt
SSRF i brak uwierzytelnienia w lollms-webui — dostęp do wewnętrznych zasobów
CVE-2024-8898CRITICAL9.8PL ✓ten sam produkt
Path traversal w API install/uninstall lollms-webui V12 (Strawberry)
CVE-2024-1873CRITICAL9.1PL ✓ten sam produkt
Path Traversal i DoS w endpoint /select_database aplikacji lollms-webui
CVE-2024-2359CRITICAL9.8PL ✓ten sam produkt
Command Injection w lollms-webui — obejście zabezpieczeń i RCE
CVE-2024-2360CRITICAL9.8PL ✓ten sam produkt
Path Traversal prowadzący do RCE w parisneo/lollms-webui