CVE-2026-0560

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263	Patch
https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5	Exploit Issue Tracking Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*

History

31 Mar 2026, 19:37

Type	Values Removed	Values Added
References	~~() https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263 -~~	() https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263 - Patch
References	~~() https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5 -~~	() https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5 - Exploit, Issue Tracking, Third Party Advisory
CPE		cpe:2.3:a:lollms:lollms::::::::
First Time		Lollms Lollms lollms

29 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-29 18:16

Updated : 2026-03-31 19:37

NVD link : CVE-2026-0560

Mitre link : CVE-2026-0560

CVE.ORG link : CVE-2026-0560

JSON object : View

Products Affected

lollms

lollms

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-0560", "cveTags": [], "metrics": {"cvssMetricV30": [{"type": "Secondary", "source": "security@huntr.dev", "cvssData": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2026-03-29T18:16:14.303", "references": [{"url": "https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263", "tags": ["Patch"], "source": "security@huntr.dev"}, {"url": "https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "source": "security@huntr.dev"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security@huntr.dev", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution."}], "lastModified": "2026-03-31T19:37:38.187", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7118851E-5C3C-499B-BBB5-0327B7FD85AF", "versionEndIncluding": "2.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@huntr.dev"}