cvedb.io
CVE-2026-0560
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-03-29T18:16:14.303 · Last modified 2026-06-17T10:10:56.830

Summary

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

Affected products

lollms — lollms

Does this affect you?

Add your gear to cvedb and we'll alert you only when lollms ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.