Cyber Resilience

CVE-2026-0560

HighPublic PoC

Published: 29 March 2026

Published
29 March 2026
Modified
31 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0274 86.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-0560 is a high-severity SSRF (CWE-918) vulnerability in Lollms Lollms. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 13.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

A Server-Side Request Forgery vulnerability affects parisneo/lollms versions prior to 2.2.0 in the /api/files/export-content endpoint. The _download_image_to_temp function in backend/routers/files.py does not validate user-supplied URLs, permitting arbitrary outbound HTTP requests to internal services or cloud metadata endpoints. The flaw is tracked as CWE-918 and carries a CVSS 3.1 score of 7.5.

An unauthenticated remote attacker can supply a crafted URL to the endpoint and reach otherwise inaccessible internal hosts, retrieve cloud instance metadata, disclose sensitive information, perform port scans, or in some cases chain the access into remote code execution.

The referenced commit 76a54f0df2df8a5b254aa627d487b5dc939a0263 in the parisneo/lollms repository addresses the issue by adding URL validation. The associated huntr report provides additional technical detail on the affected code path.

EU & UK References

Vulnerability details

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validate user-controlled URLs, allowing attackers to make arbitrary HTTP requests to internal services and cloud…

more

metadata endpoints. This vulnerability can lead to internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing web API endpoint directly enables T1190 exploitation; facilitates T1552.005 via cloud metadata access and T1046 via port scanning/internal discovery.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-0562Same product: Lollms Lollms
CVE-2026-0558Same product: Lollms Lollms
CVE-2026-33340Same vendor: Lollms
CVE-2026-30637Shared CWE-918
CVE-2026-22219Shared CWE-918
CVE-2026-28508Shared CWE-918
CVE-2025-7759Shared CWE-918
CVE-2026-32096Shared CWE-918
CVE-2026-3478Shared CWE-918
CVE-2026-31943Shared CWE-918

Affected Assets

lollms
lollms
≤ 2.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SSRF by requiring validation of user-controlled URLs in the _download_image_to_temp() function to prevent processing of malicious internal or metadata endpoints.

prevent

Boundary protection controls outbound communications from the server, blocking unauthorized requests to internal services and cloud metadata endpoints exploited via SSRF.

prevent

Enforces information flow policies to restrict server-initiated HTTP requests to only approved destinations, preventing SSRF access to internal network resources.

References