Description
A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim's system without requiring direct network access to the vulnerable application.
References (2)
Core 2
Core References
Exploit, Issue Tracking, Patch, Third Party Advisory
https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
Scores
CVSS v3
8.8
EPSS
0.0094
EPSS Percentile
76.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
total
Details
CWE
CWE-352
Status
published
Products (1)
lollms/lollms_web_ui
9.0 - 9.2
Published
Mar 30, 2024
Tracked Since
Feb 18, 2026