How to fix CVE-2024-2356?

Within 24 hours: Identify all systems running parisneo/lollms-webui and restrict network access to the application or disable the '/reinstall_extension' endpoint. Within 7 days: Conduct forensic review of access logs for suspicious activity targeting the vulnerable endpoint and assess whether sensitive files have been accessed. Within 30 days: Develop a patch or migration strategy with the vendor, evaluate alternative solutions, or plan controlled decommissioning if no patch timeline is provided.

Is Python affected by CVE-2024-2356?

A critical vulnerability in the lollms-webui application allows attackers to read arbitrary files from affected systems through the extension reinstall feature, potentially exposing sensitive data, credentials, and configuration information.

CVE-2024-2356

CRITICAL

2026-02-02 [email protected]

9.6

CVSS 3.0

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:01 vuln.today

CVE Published

Feb 02, 2026 - 11:15 nvd

CRITICAL 9.6

Description

A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post("/reinstall_extension")` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server's handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation.

Analysis

Local File Inclusion in parisneo/lollms-webui /reinstall_extension endpoint allows authenticated users to include arbitrary local files. EPSS 0.26%.

Technical Context

CWE-29 path traversal in extension reinstall. Authenticated users can include arbitrary local files.

Affected Products

['parisneo/lollms-webui']

Remediation

Update lollms-webui.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.3

CVSS: +48

POC: 0

CVE-2024-2356 vulnerability details – vuln.today

Back

CVE-2024-2356

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2024-2356

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code