CVE-2024-4315

CRITICAL Year: 2024
CVSS v3 Score
9.1
Critical
Weakness Type
CWE-98
View all →

Vulnerability Description

parisneo/lollms version 9.5 is vulnerable to Local File Inclusion (LFI) attacks due to insufficient path sanitization. The `sanitize_path_from_endpoint` function fails to properly sanitize Windows-style paths (backward slash `\`), allowing attackers to perform directory traversal attacks on Windows systems. This vulnerability can be exploited through various routes, including `personalities` and `/del_preset`, to read or delete any file on the Windows filesystem, compromising the system's availability.

Related Vulnerabilities

CVE-2025-26916

CRITICAL
CVSS:9.0(Critical)

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in EPC Massive Dynamic. This issue affects Massive Dynamic: from n/a through 8.2.

CWE-982025

CVE-2024-1600

CRITICAL
CVSS:9.3(Critical)

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL...

CWE-982024

CVE-2022-4606

HIGH
CVSS:8.8(High)

PHP Remote File Inclusion in GitHub repository flatpressblog/flatpress prior to 1.3.

CWE-982022

CVE-2023-24217

HIGH
CVSS:8.8(High)

AgileBio Electronic Lab Notebook v4.234 was discovered to contain a local file inclusion vulnerability.

CWE-982023

CVE-2023-49084

HIGH
CVSS:8.8(High)

Cacti is a robust performance and fault management framework and a frontend to RRDTool - a Time Series Database (TSDB). While using the detected SQL Injection and insufficient processing of the includ...

CWE-982023

CVE-2024-10436

HIGH
CVSS:8.8(High)

The WPC Smart Messages for WooCommerce plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 4.2.1 via the get_condition_value function. This makes it possib...

CWE-982024