EUVD-2026-14928
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
3Description
LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/api/proxy")` endpoint allows unauthenticated attackers to force the server into making arbitrary GET requests. This can be exploited to access internal services, scan local networks, or exfiltrate sensitive cloud metadata (e.g., AWS/GCP IAM tokens). As of time of publication, no known patched versions are available.
Analysis
A critical Server-Side Request Forgery (SSRF) vulnerability exists in the LoLLMs WEBUI application, allowing unauthenticated remote attackers to force the server to make arbitrary GET requests through the `/api/proxy` endpoint. All known existing versions of lollms-webui are affected, and as of publication, no patched version is available. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all systems running LoLLMs WEBUI, isolate affected instances from production networks, and disable the `/api/proxy` endpoint if possible. Within 7 days: Deploy WAF rules to block malicious proxy requests, implement strict network segmentation to limit server egress, and conduct forensic analysis for signs of exploitation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today