CVE-2026-0558
Unauthenticated File Upload in parisneo/lollms
CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
30th
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.
| CWE | CWE-287 |
| Vendor | parisneo |
| Product | parisneo/lollms |
| Published | Mar 29, 2026 |
| Last Updated | Mar 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for parisneo parisneo/lollms
Be the first to know when new high vulnerabilities affecting parisneo parisneo/lollms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Affected Versions
parisneo / parisneo/lollms
unspecified < 2.2.0