A path traversal vulnerability exists in the `apply_settings` function of parisneo/lollms versions prior to 9.5.1. The `sanitize_path` function does not adequately secure the `discussion_db_name` parameter, allowing attackers to manipulate the path and potentially write to important system folders.

Affected Packages

PyPI lollms

Affected versions: 0 (fixed in 9.5.1)

Related CVEs

CVE-2024-6281

Key Information

GHSA ID

GHSA-8mrm-r7h3-c3hj

Published

July 20, 2024 6:30 AM

Last Modified

September 13, 2024 7:34 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

lollms

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 6, 2025 6:30 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.