CVE-2026-0560 - Vulnerability Analysis
HighCVSS: 7.5Last Updated: March 31, 2026
parisneo/lollms - Server Side Request Forgery
Overview
parisneo/lollms < 2.2.0 contains a server side request forgery caused by lack of validation of user-controlled URLs in /api/files/export-content endpoint, letting attackers make arbitrary HTTP requests to internal services and cloud metadata, exploit requires crafted request.
Severity & Score
Impact
Attackers can access internal network services, cloud metadata, and potentially execute remote code.
Mitigation
Update to version 2.2.0 or later.
References
Social Media Activity(2 posts)
ā ļø CVE-2026-0560: HIGH-severity SSRF in parisneo/lollms (<2.2.0) allows remote attackers to access internal network/cloud endpoints via /api/files/export-content. Patch to 2.2.0+ or block unsafe URLs now! https://radar.offseq.com/threat/cve-2026-0560-cwe-918-server-side-request-forgery--5103940b #OffSeq #SSRF #Vuln #AppSec
View original post
š CVE-2026-0560 - High (7.5) A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the `/api/files/export-content` endpoint. The `_download_image_to_temp()` function in `backend/routers/files.py` fails to validat... š https://www.thehackerwire.com/vulnerability/CVE-2026-0560/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-0560
- Severity
- High
- CVSS Score
- 7.5
- Type
- server_side_request_forgery
- Status
- confirmed
- EPSS
- 14.3%
- Social Posts
- 2
CWE
- CWE-918
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N