CVE-2026-0558 HIGH

CVE-2026-0558: Unauthenticated File Upload in parisneo/lollms

Vendor Parisneo
Product parisneo/lollms
Weakness CWE-287 · Improper authentication
Published March 29, 2026
Last update March 30, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.

Key dates

02Disclosure timeline

March 29, 2026 CVE published
March 30, 2026 Record updated