CVE-2026-0558

CRITICAL EPSS 34.5%
Published Mar 29, 20263mo ago · Modified Jun 17, 20261w ago
9.8 CVSS 3.1
Critical
Find Similar
Published Mar 29, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.

CVSS Details

Base Score
9.8
Exploitability
3.9
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
34.5% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-287 Improper Authentication Authentication

Affected Products 1

VendorProductVersionRange
lollmslollms* ≤2.1.0

References 2

  • github.com https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3
    Patch
  • huntr.com https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113
    ExploitIssue TrackingThird Party Advisory

Remediation

  • github.com https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3
    Patch