A remote code execution (RCE) vulnerability exists in the parisneo/lollms-webui, specifically within the 'open_file' module, version 9.5. The vulnerability arises due to improper neutralization of special elements used in a command within the 'open_file' function. An attacker can exploit this vulnerability by crafting a malicious file path that, when processed by the 'open_file' function, executes arbitrary system commands or reads sensitive file content. This issue is present in the code where subprocess.Popen is used unsafely to open files based on user-supplied paths without adequate validation, leading to potential command injection.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Fri, 15 Aug 2025 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Lollms
Lollms lollms-webui
CPEs cpe:2.3:a:lollms:lollms-webui:9.5:*:*:*:*:*:*:*
Vendors & Products Lollms
Lollms lollms-webui

Thu, 03 Jul 2025 16:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2024-08-01T20:33:53.200Z

Reserved: 2024-04-26T18:16:36.135Z

Link: CVE-2024-4267

cve-icon Vulnrichment

Updated: 2024-05-23T16:56:35.306Z

cve-icon NVD

Status : Analyzed

Published: 2024-05-22T20:15:09.700

Modified: 2025-08-15T20:40:20.873

Link: CVE-2024-4267

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.