CVE-2024-1600 CRITICAL

CVE-2024-1600: Local File Inclusion in parisneo/lollms-webui

Vendor Parisneo
Product parisneo/lollms-webui
Weakness CWE-98 · PHP file inclusion
Published April 10, 2024
Last update August 1, 2024
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L

What the vulnerability does

01Description

A Local File Inclusion (LFI) vulnerability exists in the parisneo/lollms-webui application, specifically within the `/personalities` route. An attacker can exploit this vulnerability by crafting a URL that includes directory traversal sequences (`../../`) followed by the desired system file path, URL encoded. Successful exploitation allows the attacker to read any file on the filesystem accessible by the web server. This issue arises due to improper control of filename for include/require statement in the application.

Key dates

02Disclosure timeline

April 10, 2024 CVE published
August 1, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-68908 WordPress Barberry theme <= 2.9.9.87 - Local File Inclusion vulnerability CVE-2025-58913 WordPress VideoPro theme <= 2.3.8.1 - Local File Inclusion vulnerability CVE-2025-54690 WordPress Xinterio Theme <= 4.2 - Local File Inclusion Vulnerability CVE-2025-53259 WordPress Hotel Booking plugin <= 3.7 - Local File Inclusion Vulnerability CVE-2025-26933 WordPress Place Order Without Payment for WooCommerce plugin <= 2.6.7 - Local File Inclusion vulnerability