CVE-2024-4841
LOW EXPLOITED NUCLEIlollms-webui v9.6-latest - Path Traversal via add_reference_to_local_model Endpoint
Title source: llmExploitation Summary
CVE-2024-4841 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
A Path Traversal vulnerability exists in the parisneo/lollms-webui, specifically within the 'add_reference_to_local_mode' function due to the lack of input sanitization. This vulnerability affects versions v9.6 to the latest. By exploiting this vulnerability, an attacker can predict the folders, subfolders, and files present on the victim's computer. The vulnerability is present in the way the application handles the 'path' parameter in HTTP requests to the '/add_reference_to_local_model' endpoint.
Nuclei Templates (1)
LoLLMS WebUI - Subfolder Prediction via Path Traversal
MEDIUMby s4e-io
FOFA:
LoLLMS WebUI - Welcome
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/740dda3e-7104-4ccf-9ac4-8870e4d6d602
Scores
CVSS v3
3.3
EPSS
0.0067
EPSS Percentile
47.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2026-03-11
CWE
CWE-29
Status
published
Products (1)
lollms/lollms-webui
9.6
Published
Jun 23, 2024
Tracked Since
Feb 18, 2026