{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0558", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-01T21:43:51.283Z", "datePublished": "2026-03-29T17:53:08.003Z", "dateUpdated": "2026-03-30T15:23:41.471Z"}, "containers": {"cna": {"title": "Unauthenticated File Upload in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-29T17:53:08.003Z"}, "descriptions": [{"lang": "en", "value": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "lessThan": "2.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"}, {"url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "baseScore": 7.5, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-287 Improper Authentication", "cweId": "CWE-287"}]}], "source": {"advisory": "0a722001-89ce-4c91-b6a6-a55ee5ba2113", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T15:23:04.443086Z", "id": "CVE-2026-0558", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:23:41.471Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0558", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T15:23:04.443086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T15:23:32.181Z"}}], "cna": {"title": "Unauthenticated File Upload in parisneo/lollms", "source": {"advisory": "0a722001-89ce-4c91-b6a6-a55ee5ba2113", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.2.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"}, {"url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"}], "descriptions": [{"lang": "en", "value": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "CWE-287 Improper Authentication"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-03-29T17:53:08.003Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0558", "state": "PUBLISHED", "dateUpdated": "2026-03-30T15:23:41.471Z", "dateReserved": "2026-01-01T21:43:51.283Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-03-29T17:53:08.003Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:lollms:lollms:*:*:*:*:*:*:*:*", "matchCriteriaId": "7118851E-5C3C-499B-BBB5-0327B7FD85AF", "versionEndIncluding": "2.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies."}], "id": "CVE-2026-0558", "lastModified": "2026-03-31T19:45:54.220", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-29T18:16:13.250", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/parisneo/lollms/commit/a6625dc83786ff21d109b0d545ca61b770607ef3"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://huntr.com/bounties/0a722001-89ce-4c91-b6a6-a55ee5ba2113"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "security@huntr.dev", "type": "Primary"}, {"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "parisneo/lollms", "source": "cna", "vendor": "parisneo"}, "product": "parisneo/lollms", "vendor": "parisneo"}], "analysis": {"en": {"generated_at": "2026-04-01T05:25:57.269001+00:00", "value": {"mitigation_remediation": ["Upgrade to a version newer than 2.2.0 that enforces authentication on the /api/files/extract-text endpoint."], "summary": {"action": "Immediate Patch", "impact": "Service Disruption and Information Disclosure"}, "threat_synthesis": {"affected_systems": "The issue affects the Parisneo/Lollms product up to and including version 2.2.0. Environment configurations that expose the vulnerable endpoint without additional controls are directly at risk.\n", "description_and_impact": "An unauthenticated vulnerability exists in the file extraction endpoint of the Parisneo/Lollms application. The /api/files/extract-text route allows any remote user to upload and process files without the required authentication dependency, enabling arbitrary file handling. This flaw can lead to resource exhaustion, causing a denial of service, and may expose sensitive content from uploaded files, thereby violating the application's intended security posture.\n", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.8, denoting critical severity. Although the EPSS score is below 1%, indicating a low current exploitation probability, once discovered it could be leveraged easily through standard HTTP requests without any authentication. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is over the network to the exposed API endpoint."}}}}, "created": "2026-03-29T20:31:14.679898+00:00", "updated": "2026-04-02T07:55:04.713680+00:00", "vendors": ["parisneo", "parisneo$PRODUCT$parisneo/lollms"]}