parisneo/lollms-webui
Easy fix2 remedies
cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*
Easy fix2 remedies
- <= 9.5
Parisneo Lollms-Webui Local File Inclusion Vulnerability in Reinstall Extension Endpoint Allowing Remote Code Execution
Vulnerability
Patched
A Local File Inclusion (LFI) vulnerability has been identified in the Parisneo Lollms-Webui application, specifically within the '/reinstall_extension' endpoint. The vulnerability arises in the 'name' parameter of the '@router.post("/reinstall_extension")' route, allowing attackers to inject malicious payloads. This exploitation leads to the server executing arbitrary Python files from the upload directory associated with discussions. The issue is caused by the direct concatenation of 'data.name' with 'lollmsElfServer.lollms_paths.extensions_zoo_path', which is then used as an argument for 'ExtensionBuilder().build_extension()'. The server's handling of the '__init__.py' file in arbitrary locations, facilitated by 'importlib.machinery.SourceFileLoader', enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of Parisneo Lollms-Webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to '0.0.0.0' or in 'headless mode'. No user interaction is required for exploitation.
Impact
Exploitation of this vulnerability allows for Remote Code Execution on the server where Lollms-Webui is running.
Reproduction
To reproduce this vulnerability, send a POST request to the '/reinstall_extension' endpoint with a 'name' parameter that includes a path traversal payload. This payload should be crafted to navigate to the upload directory for discussions and overwrite the '__init__.py' file with a malicious version that executes arbitrary code. Once the malicious payload is uploaded, the same endpoint can be used to trigger the execution of the injected code, leading to remote code execution on the server.
Remediation
The vulnerability has been fixed in version 9.5 of the Parisneo Lollms-Webui application. Users should update to this version to address the issue.
Added: Feb 2, 2026, 11:24 AM
Updated: Feb 2, 2026, 11:24 AM
Vulnerability Rating
Custom Algorithm
spread
0.3impact
2.5exploitability
9.1remediation
8.3relevance
2.4threat
6.4urgency
2.9incentive
8.3Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.