AVID-2026-R1396

Description

Cross-Site Request Forgery (CSRF) Leading to Remote Code Execution in parisneo/lollms-webui (CVE-2024-1522)

Details

A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote attackers to execute arbitrary code on a victim’s system. The vulnerability stems from the /execute_code API endpoint, which does not properly validate requests, enabling an attacker to craft a malicious webpage that, when visited by a victim, submits a form to the victim’s local lollms-webui instance to execute arbitrary OS commands. This issue allows attackers to take full control of the victim’s system without requiring direct network access to the vulnerable application.

Reason for inclusion in AVID: The CVE describes a CSRF leading to remote code execution in the parisneo/lollms-webui web UI, a component commonly used in AI model hosting/inference stacks. This is a software vulnerability in an AI tooling component that could impact general-purpose AI systems, and the report provides explicit CVE details and impact (RCE, CSRF, affected endpoint). This aligns with software supply chain concerns in AI stacks (dependencies/tools used to run AI models).

References

• NVD entry
• https://huntr.com/bounties/687cef92-3432-4d6c-af92-868eccabbb71
• https://github.com/parisneo/lollms-webui/commit/0b51063119cfb5e391925d232a4af1de9dc32e2b

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-03-30
• Version: 0.3.3
• AVID Entry