PT-2026-53486 · Pypi · Lollms

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The sanitize path from endpoint function fails to properly sanitize Windows-style paths (backward slash ``), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including personalities and /del preset, to read or delete any file on the Windows filesystem, compromising the system's availability.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-403

Affected Products

Lollms