Back to CVE List

CVE-2026-0560

HIGH SEVERITY

CVSS Score & Metrics

Base Score
7.5 / 10
Vector String
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Vulnerability Description

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-918
Source
NVD
Vendor
lollms
Product
lollms

External References

Discussion (0)

Add Comment

No comments yet. Be the first!