CVE-2024-6139

HIGH

parisneo/lollms <9.6 - Path Traversal

Title source: llm

Description

A path traversal vulnerability exists in the XTTS server of the parisneo/lollms package version v9.6. This vulnerability allows an attacker to write audio files to arbitrary locations on the system and enumerate file paths. The issue arises from improper validation of user-provided file paths in the `tts_to_file` endpoint.

References (1)

[Exploit, Third Party Advisory] https://huntr.com/bounties/fd00f112-efd0-40a1-8227-d6733716e4c0

Scores

CVSS v3 7.3

EPSS 0.0012

EPSS Percentile 30.7%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-29

Status published

Products (2)

parisneo/parisneo/lollms unspecified - latest

pypi/lollms 0PyPI

Published Jun 27, 2024

Tracked Since Feb 18, 2026