We use cookies to improve your experience on our site.
AVID-2026-R1628
Description
Path Traversal in parisneo/lollms-webui (CVE-2024-8898)
Details
A path traversal vulnerability exists in the install and uninstall API endpoints of parisneo/lollms-webui version V12 (Strawberry). This vulnerability allows attackers to create or delete directories with arbitrary paths on the system. The issue arises due to insufficient sanitization of user-supplied input, which can be exploited to traverse directories outside the intended path.
Reason for inclusion in AVID: The CVE describes a path traversal vulnerability in parisneo/lollms-webui (an AI/web UI component used in ML pipelines). This is a software vulnerability in a component commonly used to build/run general-purpose AI systems, impacting the AI software stack. There is sufficient evidence (CVE entry and references) describing the vulnerability and impact.
References
- NVD entry
- https://huntr.com/bounties/6072371f-0ddc-42e3-9207-1c6d6b18d32f
- https://github.com/parisneo/lollms-webui/commit/6d07c8a0dd0a15cc060becc73fda9fe8e788eb23
Affected or Relevant Artifacts
- Developer: parisneo
- Deployer: parisneo
- Artifact Details:
| Type | Name |
|---|---|
| System | parisneo/lollms-webui |
Impact
AVID Taxonomy Categorization
- Risk domains: Security
- SEP subcategories: S0100: Software Vulnerability
- Lifecycle stages: L06: Deployment
CVSS
| Version | 3.0 |
| Vector String | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Base Score | 6.7 |
| Base Severity | 🟠 Medium |
| Attack Vector | LOCAL |
| Attack Complexity | 🟢 Low |
| Privileges Required | 🔴 High |
| User Interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality Impact | 🔴 High |
| Integrity Impact | 🔴 High |
| Availability Impact | 🔴 High |
CWE
| ID | Description |
|---|---|
| CWE-22 | CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
Other information
- Report Type: Advisory
- Credits:
- Date Reported: 2025-03-20
- Version: 0.3.3
- AVID Entry