Vulnerabilities > Lollms > Lollms WEB UI
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-8736 | Cross-Site Request Forgery (CSRF) vulnerability in Lollms web UI 12 A Denial of Service (DoS) vulnerability exists in multiple file upload endpoints of parisneo/lollms-webui version V12 (Strawberry). | 6.5 |
| 2025-03-20 | CVE-2024-8898 | Unspecified vulnerability in Lollms web UI 12 A path traversal vulnerability exists in the `install` and `uninstall` API endpoints of parisneo/lollms-webui version V12 (Strawberry). | 9.8 |
| 2025-03-20 | CVE-2024-9920 | Unrestricted Upload of File with Dangerous Type vulnerability in Lollms web UI 12 In version v12 of parisneo/lollms-webui, the 'Send file to AL' function allows uploading files with various extensions, including potentially dangerous ones like .py, .sh, .bat, and more. | 8.8 |
| 2025-03-20 | CVE-2025-1451 | Resource Exhaustion vulnerability in Lollms web UI 13 A vulnerability in parisneo/lollms-webui v13 arises from the server's handling of multipart boundaries in file uploads. | 7.5 |
| 2024-10-29 | CVE-2024-6673 | Cross-Site Request Forgery (CSRF) vulnerability in Lollms web UI A Cross-Site Request Forgery (CSRF) vulnerability exists in the `install_comfyui` endpoint of the `lollms_comfyui.py` file in the parisneo/lollms-webui repository, versions v9.9 to the latest. | 6.5 |
| 2024-10-29 | CVE-2024-6674 | Origin Validation Error vulnerability in Lollms web UI A CORS misconfiguration in parisneo/lollms-webui prior to version 10 allows attackers to steal sensitive information such as logs, browser sessions, and settings containing private API keys from other services. | 7.1 |
| 2024-10-13 | CVE-2024-6959 | Cross-Site Request Forgery (CSRF) vulnerability in Lollms web UI 9.8 A vulnerability in parisneo/lollms-webui version 9.8 allows for a Denial of Service (DOS) attack when uploading an audio file. | 7.1 |
| 2024-06-27 | CVE-2024-5933 | Cross-site Scripting vulnerability in Lollms web UI A Cross-site Scripting (XSS) vulnerability exists in the chat functionality of parisneo/lollms-webui in the latest version. | 5.4 |
| 2024-06-06 | CVE-2024-3322 | Unspecified vulnerability in Lollms web UI A path traversal vulnerability exists in the 'cyber_security/codeguard' native personality of the parisneo/lollms-webui, affecting versions up to 9.5. | 9.8 |
| 2024-06-06 | CVE-2024-4320 | Path Traversal vulnerability in Lollms web UI A remote code execution (RCE) vulnerability exists in the '/install_extension' endpoint of the parisneo/lollms-webui application, specifically within the `@router.post("/install_extension")` route handler. | 9.8 |