What is the CVSS score of EUVD-2026-14928?

EUVD-2026-14928 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Lollms Webui are affected by EUVD-2026-14928?

A critical, unpatched vulnerability in LoLLMs WEBUI allows attackers to bypass authentication and force your servers to make unauthorized requests to internal systems and cloud services, potentially…

Is there a public PoC exploit available for EUVD-2026-14928?

Yes, a public proof-of-concept exploit is available for EUVD-2026-14928. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate EUVD-2026-14928?

Within 24 hours: Audit all systems running LoLLMs WEBUI, isolate affected instances from production networks, and disable the `/api/proxy` endpoint if possible. Within 7 days: Deploy WAF rules to block malicious proxy requests, implement strict network segmentation to limit server egress, and conduct forensic analysis for signs of exploitation. Within 30 days: Evaluate alternative solutions, plan decommissioning of LoLLMs WEBUI, or prepare for immediate patching once the vendor releases a fix.

Lollms Webui EUVD-2026-14928

| CVE-2026-33340 CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-03-24 GitHub_M

SSRF Authentication Bypass Lollms Webui

9.1

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.1 CRITICAL

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 20:37 vuln.today

cvss_changed

EUVD ID Assigned

Mar 24, 2026 - 16:30 euvd

EUVD-2026-14928

Analysis Generated

Mar 24, 2026 - 16:30 vuln.today

CVE Published

Mar 24, 2026 - 15:58 nvd

CRITICAL 9.1

DescriptionGitHub Advisory

LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of lollms-webui. The @router.post("/api/proxy") endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP IAM tokens). As of time of publication, no known patched versions are available.

AnalysisAI

A critical Server-Side Request Forgery (SSRF) vulnerability exists in the LoLLMs WEBUI application, allowing unauthenticated remote attackers to force the server to make arbitrary GET requests through the /api/proxy endpoint. All known existing versions of lollms-webui are affected, and as of publication, no patched version is available. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send POST request to /api/proxy endpoint

Exploit

Specify arbitrary URL as target

Execution

Server makes unrestricted GET request

Impact

Access internal services or cloud metadata

Access

Send POST request to /api/proxy endpoint

Exploit

Specify arbitrary URL as target

Execution

Server makes unrestricted GET request

Impact

Access internal services or cloud metadata

Vulnerability AssessmentAI

Exploitation	No special conditions — remote unauthenticated exploitation against the `/api/proxy` endpoint in all known versions of LoLLMs WEBUI. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	This vulnerability presents a critical real-world risk with a CVSS score of 9.1 and vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating network-accessible exploitation with low complexity requiring no privileges or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An unauthenticated remote attacker sends a crafted POST request to the `/api/proxy` endpoint of an internet-facing lollms-webui server, specifying a target URL pointing to the cloud metadata service at http://169.254.169.254/latest/meta-data/iam/security-credentials/. The vulnerable server makes the GET request on behalf of the attacker and returns the response containing temporary IAM credentials with full permissions associated with the instance role. …
Remediation	As of this advisory's publication, no patched version of lollms-webui is available from the vendor. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all systems running LoLLMs WEBUI, isolate affected instances from production networks, and disable the /api/proxy endpoint if possible. …

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-14928 vulnerability details – vuln.today

Back

Lollms Webui EUVD-2026-14928

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code