Cyber Resilience

CVE-2024-1601

CriticalPublic PoC

Published: 16 April 2024

Published
16 April 2024
Modified
07 July 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0528 90.2th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-1601 is a critical-severity SQL Injection (CWE-89) vulnerability in Lollms Lollms-Webui. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

An SQL injection vulnerability exists in the delete_discussion() function of the parisneo/lollms-webui application. The flaw stems from improper neutralization of special elements in SQL commands and is reachable via the /delete_discussion HTTP endpoint, where an attacker-controlled "id" parameter is used directly in database queries against the discussion and message tables.

An unauthenticated remote attacker can submit a crafted POST request containing a malicious payload in the id field. Successful exploitation deletes all records from the discussion and message tables, resulting in complete loss of conversation history and associated data. The issue carries a CVSS 3.1 score of 9.8, reflecting network attack vector, low complexity, and no required privileges or user interaction.

Public references point to a fix merged in commit f0bc8f2babdfd4770a5adbf3b60ec612e4f1db46 on the upstream repository, along with a detailed report published on huntr.com that describes the same injection vector and remediation.

EPSS scores have remained low and stable near 0.05 with no material increase after disclosure.

EU & UK References

Vulnerability details

An SQL injection vulnerability exists in the `delete_discussion()` function of the parisneo/lollms-webui application, allowing an attacker to delete all discussions and message data. The vulnerability is exploitable via a crafted HTTP POST request to the `/delete_discussion` endpoint, which internally calls…

more

the vulnerable `delete_discussion()` function. By sending a specially crafted payload in the 'id' parameter, an attacker can manipulate SQL queries to delete all records from the 'discussion' and 'message' tables. This issue is due to improper neutralization of special elements used in an SQL command.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

lollms
lollms-webui
9.0, 9.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References