CVE-2026-0560

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0

Description A Server-Side Request Forgery (SSRF) issue exists in the /api/files/export-content endpoint. The download image to temp() function in backend/routers/files.py does not properly validate user-supplied URLs, which allows attackers to initiate arbitrary HTTP requests to internal services and cloud metadata endpoints. This can result in internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

Recommendations Update to version 2.2.0 or later.