{"id":"CVE-2024-2366","summary":"Remote Code Execution in parisneo/lollms-webui","details":"A remote code execution vulnerability exists in the parisneo/lollms-webui application, specifically within the reinstall_binding functionality in lollms_core/lollms/server/endpoints/lollms_binding_infos.py of the latest version. The vulnerability arises due to insufficient path sanitization, allowing an attacker to exploit path traversal to navigate to arbitrary directories. By manipulating the binding_path to point to a controlled directory and uploading a malicious __init__.py file, an attacker can execute arbitrary code on the server.","modified":"2026-07-15T01:49:18.875349194Z","published":"2024-05-16T09:03:49.643Z","database_specific":{"cwe_ids":["CWE-77"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/2xxx/CVE-2024-2366.json","cna_assigner":"@huntr_ai"},"references":[{"type":"WEB","url":"https://huntr.com/bounties/63266c77-408b-45ff-962c-8163db50a864"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/2xxx/CVE-2024-2366.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2366"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/parisneo/lollms-webui","events":[{"introduced":"0"},{"fixed":"eaa0b2035034d2cefcc536eb7d17a765dae4a6b4"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"9.5"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:lollms:lollms_web_ui:*:*:*:*:*:*:*:*"}}],"versions":["v9.4","v9.3","v9.2","v9.1","v9.0","v8.5","v7.0","v6.7","v6.5.0","v6.5rc2","v6.5","v6.0","v5.0","v4.0","v3.5","v3.0","v0.0.9","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-2366.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H"}]}