← Back to CVE List

CVE-2024-4078

Published: 2024-05-16T09:15Z
Last Modified: 2024-11-21T09:42Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function, allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt