CVE-2026-0560
Server-Side Request Forgery (SSRF) in parisneo/lollms
CVSS Score
7.5
EPSS Score
0.1%
EPSS Percentile
35th
A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
| CWE | CWE-918 |
| Vendor | parisneo |
| Product | parisneo/lollms |
| Published | Mar 29, 2026 |
| Last Updated | Mar 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for parisneo parisneo/lollms
Be the first to know when new high vulnerabilities affecting parisneo parisneo/lollms are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Versions
parisneo / parisneo/lollms
unspecified < 2.2.0