PT-2026-53486 · Pypi · Lollms
Published
2026-06-29
·
Updated
2026-06-29
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The
sanitize path from endpoint function fails to properly sanitize Windows-style paths (backward slash ``), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including personalities and /del preset, to read or delete any file on the Windows filesystem, compromising the system's availability.Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Lollms