AVID-2026-R1528

Description

Remote Code Execution via /apply_settings and /execute_code in parisneo/lollms-webui (CVE-2024-4326)

Details

A vulnerability in parisneo/lollms-webui versions up to 9.3 allows remote attackers to execute arbitrary code. The vulnerability stems from insufficient protection of the /apply_settings and /execute_code endpoints. Attackers can bypass protections by setting the host to localhost, enabling code execution, and disabling code validation through the /apply_settings endpoint. Subsequently, arbitrary commands can be executed remotely via the /execute_code endpoint, exploiting the delay in settings enforcement. This issue was addressed in version 9.5.

Reason for inclusion in AVID: CVE-2024-4326 describes a remote code execution vulnerability in the parisneo/lollms-webui web UI, allowing attackers to execute arbitrary commands via exposed endpoints. This is a software vulnerability directly affecting an AI deployment/serving stack component, with clear impact on AI systems. The affected component is used in building/deploying AI workloads, thus relevant to the general-purpose AI supply chain. The report provides explicit vulnerability details, affected versions, exploit path, CVSS scores, and remediation, giving sufficient signal for curation.

References

• NVD entry
• https://huntr.com/bounties/2ab9f03d-0538-4317-be21-0748a079cbdd
• https://github.com/parisneo/lollms-webui/commit/abb4c6d495a95a3ef5b114ffc57f85cd650b905e

Affected or Relevant Artifacts

• Developer: parisneo
• Deployer: parisneo
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

CVSS

CWE

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2024-05-16
• Version: 0.3.3
• AVID Entry