What is the CVSS score of CVE-2024-2356?

CVE-2024-2356 has a CVSS 3.0 base score of 9.6 (Critical). CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.3%.

Which versions of Python are affected by CVE-2024-2356?

A critical vulnerability in the lollms-webui application allows attackers to read arbitrary files from affected systems through the extension reinstall feature, potentially exposing sensitive data,…

How to fix or mitigate CVE-2024-2356?

Within 24 hours: Identify all systems running parisneo/lollms-webui and restrict network access to the application or disable the '/reinstall_extension' endpoint. Within 7 days: Conduct forensic review of access logs for suspicious activity targeting the vulnerable endpoint and assess whether sensitive files have been accessed. Within 30 days: Develop a patch or migration strategy with the vendor, evaluate alternative solutions, or plan controlled decommissioning if no patch timeline is provided.

Python CVE-2024-2356

CRITICAL

Path Traversal: '\\..\\filename' (CWE-29)

2026-02-02 security@huntr.dev

RCE Python

9.6

CVSS 3.0

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 22:01 vuln.today

CVE Published

Feb 02, 2026 - 11:15 nvd

CRITICAL 9.6

DescriptionNVD

A Local File Inclusion (LFI) vulnerability exists in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application, specifically within the name parameter of the @router.post("/reinstall_extension") route. This vulnerability allows attackers to inject a malicious name parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of data.name directly with lollmsElfServer.lollms_paths.extensions_zoo_path and its use as an argument for ExtensionBuilder().build_extension(). The server's handling of the __init__.py file in arbitrary locations, facilitated by importlib.machinery.SourceFileLoader, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to 0.0.0.0 or in headless mode. No user interaction is required for exploitation.

AnalysisAI

Local File Inclusion in parisneo/lollms-webui /reinstall_extension endpoint allows authenticated users to include arbitrary local files. EPSS 0.26%.

Technical ContextAI

CWE-29 path traversal in extension reinstall. Authenticated users can include arbitrary local files.

Affected ProductsAI

parisneo/lollms-webui

RemediationAI

Update lollms-webui.

CVE-2024-2356 vulnerability details – vuln.today

Back

Python CVE-2024-2356

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

Affected ProductsAI

RemediationAI

Share

External POC / Exploit Code