CVE-2026-0558

Summary

A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the /api/files/extract-text endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the Depends(get_current_active_user) dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies.

Affected Software

VendorProductVersion RangeStatus
parisneoparisneo/lollmsunspecified < 2.2.0affected

Weaknesses

  • CWE-287: CWE-287 Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References