Home » Database

AVID-2026-R1596

Description

Remote Code Execution in Calculate Function in parisneo/lollms (CVE-2024-6982)

Details

A remote code execution vulnerability exists in the Calculate function of parisneo/lollms version 9.8. The vulnerability arises from the use of Python’s eval() function to evaluate mathematical expressions within a Python sandbox that disables __builtins__ and only allows functions from the math module. This sandbox can be bypassed by loading the os module using the _frozen_importlib.BuiltinImporter class, allowing an attacker to execute arbitrary commands on the server. The issue is fixed in version 9.10.

Reason for inclusion in AVID: The CVE describes a remote code execution vulnerability in parisneo/lollms, an AI framework/library used in ML pipelines. It exploits unsafe use of eval in a Calculate function, enabling arbitrary command execution within an AI software stack. This is a software component used to build/deploy AI systems, not hardware/firmware, and it poses a security risk (RCE) with public CVE details and a fixed version. Therefore it is a relevant software supply chain vulnerability for general-purpose AI systems.

References

Affected or Relevant Artifacts

  • Developer: parisneo
  • Deployer: parisneo
  • Artifact Details:
TypeName
Systemparisneo/lollms

Impact

AVID Taxonomy Categorization

  • Risk domains: Security
  • SEP subcategories: S0100: Software Vulnerability
  • Lifecycle stages: L06: Deployment

CVSS

Version3.0
Vector StringCVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score8.4
Base Severity🔴 High
Attack VectorLOCAL
Attack Complexity🟢 Low
Privileges RequiredNONE
User InteractionNONE
ScopeUNCHANGED
Confidentiality Impact🔴 High
Integrity Impact🔴 High
Availability Impact🔴 High

CWE

IDDescription
CWE-94CWE-94 Improper Control of Generation of Code

Other information

  • Report Type: Advisory
  • Credits:
  • Date Reported: 2025-03-20
  • Version: 0.3.3
  • AVID Entry