Cyber Resilience

CVE-2024-1520

CriticalPublic PoCRCE

Published: 10 April 2024

Published
10 April 2024
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1107 93.6th percentile
Risk Priority 26 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1520 is a critical-severity OS Command Injection (CWE-78) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Other ATLAS/OWASP Terms risk domain; MITRE ATLAS techniques in scope: AI Model Inference API Access (AML.T0040), Exfiltration via AI Inference API (AML.T0024), External Harms (AML.T0048).

Deeper analysis

An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application. The flaw stems from insufficient validation of user-supplied input in the 'discussion_id' parameter and is tracked as CWE-78. It carries a CVSS 3.0 score of 9.8, reflecting network-accessible exploitation with no required authentication or user interaction.

Unauthenticated remote attackers can supply crafted values to the endpoint that inject and execute arbitrary operating-system commands. Successful exploitation grants the ability to read or modify data, escalate privileges, or achieve full control of the underlying host.

A fix addressing the input-handling issue was merged in commit 2497d1a4fe5a09f003bf7a9bc426139e9295a934 of the upstream repository. The associated huntr.dev report provides additional technical detail on the vulnerable code path. The EPSS score has remained essentially flat near 0.11 with no material post-disclosure increase.

EU & UK References

Vulnerability details

An OS Command Injection vulnerability exists in the '/open_code_folder' endpoint of the parisneo/lollms-webui application, due to improper validation of user-supplied input in the 'discussion_id' parameter. Attackers can exploit this vulnerability by injecting malicious OS commands, leading to unauthorized command execution…

more

on the underlying operating system. This could result in unauthorized access, data leakage, or complete system compromise.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
The vulnerability affects parisneo/lollms-webui, a web UI platform for large language models (LLMs) and multimodal models, enabling AI assistants and agents, categorized under Enterprise AI Assistants. Reported on an AI/ML bug bounty platform (huntr.com).

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

OS command injection in public-facing web endpoint (T1190: Exploit Public-Facing Application) enables arbitrary OS command execution (T1059: Command and Scripting Interpreter).

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0040: AI Model Inference API AccessAML.T0024: Exfiltration via AI Inference APIAML.T0048: External Harms

Affected Assets

lollms
lollms web ui
9.0 — 9.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References