CVE-2024-1602

parisneo/lollms-webui is vulnerable to stored Cross-Site Scripting (XSS) that leads to Remote Code Execution (RCE). The vulnerability arises due to inadequate sanitization and validation of model output data, allowing an attacker to inject malicious JavaScript code. This code can be executed within the user's browser context, enabling the attacker to send a request to the /execute_code endpoint and establish a reverse shell to the attacker's host. The issue affects various components of the application, including the handling of user input and model output.

Published: Apr 10, 2024
Updated: Jul 10, 2025
CVE: CVE-2024-1602
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
lollms / lollms_web_ui	9.0	9.0.x

https://huntr.com/bounties/59be0d5a-f18e-4418-8f29-72320269a097

Vulnerability Database

CVE-2024-1602

Deep Security Visibility Without the Complexity