← Back to CVE List

CVE-2024-2366

Published: 2024-05-16T09:15Z
Last Modified: 2024-11-21T09:09Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt