A path traversal vulnerability in the `/set_personality_config` endpoint of parisneo/lollms version 9.4.0 allows an attacker to overwrite the `configs/config.yaml` file. This can lead to remote code execution by changing server configuration properties such as `force_accept_remote_access` and `turn_on_code_validation`.

Affected Packages

PyPI lollms

Affected versions: 0 (fixed in 9.5.0)

Related CVEs

CVE-2024-5824

Key Information

GHSA ID

GHSA-m45c-v46h-c788

Published

June 27, 2024 9:32 PM

Last Modified

June 28, 2024 9:07 PM

CVSS Score

7.5 /10

Primary Ecosystem

PyPI

Primary Package

lollms

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 7, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.