Description
A Path Traversal vulnerability exists in the `/wipe_database` endpoint of parisneo/lollms version v12, allowing an attacker to delete any directory on the system. The vulnerability arises from improper validation of the `key` parameter, which is used to construct file paths. An attacker can exploit this by sending a specially crafted HTTP request to delete arbitrary directories.
References (1)
Core 1
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/1f6c8908-d486-4141-be55-25bd29933d8b
Scores
CVSS v3
7.1
EPSS
0.0027
EPSS Percentile
18.1%
Attack Vector
LOCAL
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (1)
parisneo/parisneo/lollms
unspecified - latest
Published
Mar 20, 2025
Tracked Since
Feb 18, 2026