CVE-2024-6250

HIGH EXPLOITED NUCLEI

parisneo/lollms-webui <9.6 - Path Traversal

Title source: llm

Description

An absolute path traversal vulnerability exists in parisneo/lollms-webui v9.6, specifically in the `open_file` endpoint of `lollms_advanced.py`. The `sanitize_path` function with `allow_absolute_path=True` allows an attacker to access arbitrary files and directories on a Windows system. This vulnerability can be exploited to read any file and list arbitrary directories on the affected system.

Nuclei Templates (1)

LOLLMS WebUI - Absolute Path Traversal

HIGHby ritikchaddha

References (1)

[Exploit, Issue Tracking, Third Party Advisory] https://huntr.com/bounties/11a8bf9d-16f3-49b3-b5fc-ad36d8993c73

Scores

CVSS v3 7.5

EPSS 0.1125

EPSS Percentile 93.5%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2026-02-20

CWE

CWE-36

Status published

Products (1)

lollms/lollms_web_ui 9.6

Published Jun 27, 2024

Tracked Since Feb 18, 2026