{"id":"CVE-2024-4897","details":"parisneo/lollms-webui, in its latest version, is vulnerable to remote code execution due to an insecure dependency on llama-cpp-python version llama_cpp_python-0.2.61+cpuavx2-cp311-cp311-manylinux_2_31_x86_64. The vulnerability arises from the application's 'binding_zoo' feature, which allows attackers to upload and interact with a malicious model file hosted on hugging-face, leading to remote code execution. The issue is linked to a known vulnerability in llama-cpp-python, CVE-2024-34359, which has not been patched in lollms-webui as of commit b454f40a. The vulnerability is exploitable through the application's handling of model files in the 'bindings_zoo' feature, specifically when processing gguf format model files.","modified":"2026-04-10T05:17:48.941169Z","published":"2024-07-02T15:15:11.853Z","references":[{"type":"FIX","url":"https://huntr.com/bounties/ecf386df-4b6a-40b2-9000-db0974355acc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/parisneo/lollms-webui","events":[{"introduced":"0"},{"fixed":"8a8e3a1c386321f641a014bf8f7029512ccad411"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"9.8"}]}}],"versions":["v0.0.1","v0.0.2","v0.0.3","v0.0.5","v0.0.6","v0.0.7","v0.0.8","v0.0.9","v3.0","v3.5","v4.0","v5.0","v6.0","v6.5","v6.5.0","v6.5rc2","v6.7","v7.0","v8.5","v9.0","v9.1","v9.2","v9.3","v9.4","v9.5","v9.6"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4897.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}