A path traversal vulnerability exists in the api open_personality_folder endpoint of parisneo/lollms. This vulnerability allows an attacker to read any folder in the personality_folder on the victim's computer, even though sanitize_path is set. The issue arises due to improper sanitization of the personality_folder parameter, which can be exploited to traverse directories and access arbitrary files.

Affected Packages

PyPI lollms

Affected versions: 0 (last affected: 9.5.1)

Related CVEs

CVE-2024-6985

Key Information

GHSA ID

GHSA-6h64-g7cj-hj56

Published

October 11, 2024 6:32 PM

Last Modified

October 11, 2024 7:44 PM

CVSS Score

5.0 /10

Primary Ecosystem

PyPI

Primary Package

lollms

GitHub Reviewed

✓ Yes

Dataset

Last updated: September 12, 2025 6:34 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.