cvedb.io
CVE-2024-6581
CRITICAL · CVSS 9
EPSS exploitation probability: 0%
Published 2024-10-29T13:15:07.840 · Last modified 2026-06-17T08:18:17.043

Summary

A vulnerability in the discussion image upload function of the Lollms application, version v9.9, allows for the uploading of SVG files. Due to incomplete filtering in the sanitize_svg function, this can lead to cross-site scripting (XSS) vulnerabilities, which in turn pose a risk of remote code execution. The sanitize_svg function only removes script elements and 'on*' event attributes, but does not account for other potential vectors for XSS within SVG files. This vulnerability can be exploited when authorized users access a malicious URL containing the crafted SVG file.

Affected products

lollms — lord_of_large_language_models

Does this affect you?

Add your gear to cvedb and we'll alert you only when lollms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.