Cyber Resilience

CVE-2024-4078

CriticalRCE

Published: 16 May 2024

Published
16 May 2024
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0976 93.1th percentile
Risk Priority 25 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-4078 is a critical-severity Command Injection (CWE-77) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2024-4078 is a path traversal vulnerability in the parisneo/lollms project that permits arbitrary code execution. It resides in the /unInstall_binding endpoint, where the unInstall_binding function fails to sanitize the name parameter, allowing an attacker to traverse directories and load a malicious __init__.py file. The flaw affects the latest version of the software and carries a CVSS 3.0 base score of 9.8.

Unauthenticated remote attackers can exploit the issue over the network by supplying a crafted name value, resulting in remote code execution with full confidentiality, integrity, and availability impact on the host system. The weakness is tracked as CWE-77.

Public references include a GitHub commit that addresses the flaw by adding proper path sanitization and a corresponding huntr.dev bounty report that details the discovery.

The EPSS score stands at 0.0976 with no material increase from its recorded peak.

EU & UK References

Vulnerability details

A vulnerability in the parisneo/lollms, specifically in the `/unInstall_binding` endpoint, allows for arbitrary code execution due to insufficient sanitization of user input. The issue arises from the lack of path sanitization when handling the `name` parameter in the `unInstall_binding` function,…

more

allowing an attacker to traverse directories and execute arbitrary code by loading a malicious `__init__.py` file. This vulnerability affects the latest version of the software. The exploitation of this vulnerability could lead to remote code execution on the system where parisneo/lollms is deployed.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References