Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-vqwr-q6cc-c242

GitHub Security Advisory

parisneo/lollms Local File Inclusion (LFI) attack

✓ GitHub Reviewed CRITICAL Has CVE
View on GitHub

Advisory Details

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including `personalities` and `/del_preset`, to read or delete any file on the Windows filesystem, compromising the system's availability.

Affected Packages

PyPI lollms
Affected versions: 0 (fixed in 9.5.0)

Related CVEs

CVE-2024-4315

Key Information

GHSA ID
GHSA-vqwr-q6cc-c242
Published
June 12, 2024 3:31 AM
Last Modified
June 12, 2024 5:12 PM
CVSS Score
9.0 /10
Primary Ecosystem
PyPI
Primary Package
lollms
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.