| ID |
CVE-2026-0558
|
| Sažetak |
A vulnerability in parisneo/lollms, up to and including version 2.2.0, allows unauthenticated users to upload and process files through the `/api/files/extract-text` endpoint. This endpoint does not enforce authentication, unlike other file-related endpoints, and lacks the `Depends(get_current_active_user)` dependency. This issue can lead to denial of service (DoS) through resource exhaustion, information disclosure, and violation of the application's documented security policies. |
| Reference |
|
| CVSS |
| Base: | 7.5 |
| Impact: | 3.6 |
| Exploitability: | 3.9 |
|
| Pristup |
| Vektor | Složenost | Autentikacija |
| NETWORK |
LOW |
NONE |
|
| Impact |
| Povjerljivost | Cjelovitost | Dostupnost |
| NONE |
HIGH |
NONE |
|
| CVSS vektor |
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |
| Zadnje važnije ažuriranje |
31-03-2026 - 19:45 |
| Objavljeno |
29-03-2026 - 18:16 |
