parisneo lollms-webui Path Traversal and OS Command Injection Vulnerability

Vulnerability

A vulnerability exists in the 'start_app_server' function of parisneo/lollms-webui version 12 (Strawberry). This issue allows for path traversal and operating system command injection. The vulnerability arises because the function fails to properly sanitize the 'app_name' parameter, which enables an attacker to upload a malicious 'server.py' file and execute arbitrary code by exploiting the path traversal flaw.

Impact

Exploitation of this vulnerability could lead to unauthorized file access and execution of arbitrary code on the server.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

4.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

10.0

exploitability

4.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

parisneo lollms-webui Path Traversal and OS Command Injection Vulnerability

Vulnerability

Impact

Affected Products

parisneo/lollms-webui

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating