Cyber Resilience

CVE-2024-3435

HighPublic PoC

Published: 16 May 2024

Published
16 May 2024
Modified
09 July 2025
KEV Added
Patch
CVSS Score v3 8.4 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0059 69.5th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3435 is a high-severity Path Traversal: '\..\filename' (CWE-29) vulnerability in Lollms Lollms Web Ui. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other Platforms; in the Other ATLAS/OWASP Terms risk domain.

EU & UK References

Vulnerability details

A path traversal vulnerability exists in the 'save_settings' endpoint of the parisneo/lollms-webui application, affecting versions up to the latest release before 9.5. The vulnerability arises due to insufficient sanitization of the 'config' parameter in the 'apply_settings' function, allowing an attacker…

more

to manipulate the application's configuration by sending specially crafted JSON payloads. This could lead to remote code execution (RCE) by bypassing existing patches designed to mitigate such vulnerabilities.

CWE(s)

AI Security AnalysisAI

AI Category
Other Platforms
Risk Domain
Other ATLAS/OWASP Terms
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
The vulnerability affects parisneo/lollms-webui, a web user interface platform for running large language models (LLMs) locally, which qualifies as an AI-related platform for model interaction and deployment. It does not fit more specific categories like frameworks or libraries.

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Path traversal vulnerability in the web application's 'save_settings' endpoint enables manipulation of configuration via crafted JSON payloads, leading to remote code execution by exploiting a public-facing application.

Affected Assets

lollms
lollms web ui
≤ 9.5

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References