CVE-2026-0558

CVSS v2.0

Critical

Vector

AV:N/AC:L/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions through 2.2.0

Description An issue exists in parisneo/lollms that allows unauthenticated users to upload and process files. The /api/files/extract-text endpoint does not require authentication, unlike other file-related endpoints, and is missing the Depends(get current active user) dependency. This can result in denial of service (DoS) through resource exhaustion, information disclosure, and a violation of the application’s security policies. The vulnerable API endpoint is /api/files/extract-text.

Recommendations Versions through 2.2.0 should be updated to a version where the /api/files/extract-text endpoint enforces authentication using Depends(get current active user).

Exploit

Fix

Missing Authentication

Improper Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306CWE-287

Related Identifiers

BDU:2026-06472

CVE-2026-0558

Affected Products

Lollms

CVE-2026-0558

Weakness Enumeration

Related Identifiers

Affected Products

References · 7