CVE-2024-3126

Name of the Vulnerable Software and Affected Versions parisneo/lollms-webui versions prior to 9.5

Description A command injection issue exists due to the improper neutralization of special elements in an OS command within the run xtts api server function of the lollms xtts.py script. This allows attackers to execute arbitrary commands remotely by manipulating the xtts base url parameter, potentially leading to arbitrary remote code execution on the system where the application is deployed.

Recommendations For versions prior to 9.5, update to version 9.5 or later to resolve the issue. As a temporary workaround, consider restricting access to the run xtts api server function or sanitizing the xtts base url input to prevent command injection attacks.