Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2024-9919

A missing authentication check in the uninstall endpoint of parisneo/lollms-webui V13 allows attackers to perform unauthorized directory deletions. The /uninstall/{app_name} API endpoint does not call the check_access() function to verify the client_id, enabling attackers to delete directories without proper authentication.

Published

2025-03-20T10:15:50.660

Last Modified

2025-10-15T13:15:59.840

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 8.4 (HIGH)

Weaknesses

Type: Secondary
CWE-306

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	lollms	lollms_web_ui	13	Yes

References

https://huntr.com/bounties/5c00f56b-32a8-4e26-a4e3-de64f139da6b Exploit, Issue Tracking, Third Party Advisory ([email protected])