PyPi: Lollms

CVE-2024-6971

Safety vulnerability ID: 78789

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Oct 11, 2024 Updated at Aug 18, 2025

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of the lollms-webui package are vulnerable to Path Traversal due to a lack of path sanitization in functions handling filesystem operations. The functions add_rag_database, toggle_mount_rag_database, and vectorize_folder in lollms_file_system.py do not employ sanitize_path_from_endpoint or sanitize_path, allowing crafted paths with directory traversal sequences. An attacker with local access and sufficient privileges can exploit this by invoking those functions on arbitrary .sqlite files outside the intended directory, potentially triggering unwanted package installations or causing application crashes and disruption.

Affected package

lollms

Latest version: 11.0.0

A python library for AI personality definition

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

MEDIUM 4.4

CVSS v3 Details

MEDIUM 4.4

Attack Vector (AV): LOCAL
Attack Complexity (AC): LOW
Privileges Required (PR): HIGH
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH