{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0558", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-01T21:43:51.283Z", "datePublished": "2026-03-29T17:53:08.003Z", "dateUpdated": "2026-03-30T15:23:41.471Z"}, "containers": {"cna": {"title": "Unauthenticated File Upload in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-29T17:53:08.003Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "lessThan": "2.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"}, {"url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287"}]}], "source": {"advisory": "0a722001-89ce-4c91-b6a6-a55ee5ba2113", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:23:04.443086Z", "id": "CVE-2026-0558", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:23:41.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0558", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:23:04.443086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:23:32.181Z"}}], "cna": {"title": "Unauthenticated File Upload in parisneo/lollms", "source": {"advisory": "0a722001-89ce-4c91-b6a6-a55ee5ba2113", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.2.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"}, {"url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"}], "descriptions": [{"lang": "en", "value": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-29T17:53:08.003Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0558", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:23:41.471Z", "dateReserved": "2026-01-01T21:43:51.283Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-29T17:53:08.003Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7118851E-5C3C-499B-BBB5-0327B7FD85AF", "versionEndIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies."}], "id": "CVE-2026-0558", "lastModified": "2026-03-31T19:45:54.220", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-29T18:16:13.250", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "parisneo/lollms", "source": "cna", "vendor": "parisneo"}, "product": "parisneo/lollms", "vendor": "parisneo"}], "analysis": {"en": {"generated_at": "2026-03-29T19:20:21.181282+00:00", "value": {"mitigation_remediation": ["Update parisneo/lollms to any release newer than 2.2.0 that enforces authentication on the \"/api/files/extract-text\" endpoint.", "If an immediate upgrade is not possible, restrict access to the endpoint using firewall rules or reverse\u2011proxy authentication so that only trusted IPs or users can reach it.", "Apply request size limits and rate\u2011limit the file upload endpoint to prevent resource exhaustion.", "Verify that the updated version does not expose any other unauthenticated file handling paths and monitor logs for suspicious upload activity."], "summary": {"action": "Immediate Patch", "impact": "Denial of Service and Information Disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects the open\u2011source project parisneo/lollms, specifically versions up to and including 2.2.0. Any deployment of this version that exposes the /api/files/extract-text endpoint to unauthenticated users is vulnerable.", "description_and_impact": "This vulnerability allows anyone on the network to send requests to the \"/api/files/extract-text\" endpoint and upload arbitrary files without needing credentials. Because the endpoint does not enforce authentication and lacks proper request size or resource limits, an attacker can upload large or malicious files that consume CPU or memory, leading to resource exhaustion and a denial of service. The ability to process files also potentially exposes sensitive data contained in the uploaded files or in the service\u2019s internal processing logs, violating the application\u2019s documented security policies.", "risk_and_exploitability": "With a CVSS base score of 7.5, the vulnerability is considered high severity. No EPSS data is available and it is not currently listed in the CISA KEV catalog, but the lack of authentication makes exploitation trivial to anyone who can reach the endpoint. An attacker can simply craft large files or repeated requests to trigger a DoS, and the endpoint\u2019s open processing may also reveal internal information. The likelihood of exploitation is high due to the obvious lack of access control."}}}}, "created": "2026-03-29T20:31:14.679898+00:00", "updated": "2026-03-30T06:58:02.732997+00:00", "vendors": ["parisneo", "parisneo$PRODUCT$parisneo/lollms"]}