Platform
python
Component
lollms
Fixed in
2.2.0
CVE-2026-0558 is an Unrestricted File Upload vulnerability discovered in lollms, a Python-based project, impacting versions up to 2.2.0. This vulnerability allows unauthenticated users to upload and process arbitrary files via the /api/files/extract-text endpoint, bypassing authentication checks. Successful exploitation can lead to denial of service, information disclosure, and potential security policy breaches. A fix is available in version 2.2.0.
The primary impact of CVE-2026-0558 is the ability for an unauthenticated attacker to upload and process files without proper authorization. This opens the door to several malicious scenarios. An attacker could upload large files to exhaust server resources, leading to a denial of service (DoS) condition, rendering the lollms application unavailable to legitimate users. Furthermore, the ability to process arbitrary files could allow an attacker to disclose sensitive information contained within those files. The lack of authentication on this endpoint represents a significant security policy violation, as it circumvents intended access controls.
CVE-2026-0558 was publicly disclosed on 2026-03-29. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. The vulnerability's simplicity and lack of authentication make it a potential target for opportunistic attackers.
Exploit Status
EPSS
0.31% (54% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-0558 is to immediately upgrade lollms to version 2.2.0 or later, which includes the necessary authentication checks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /api/files/extract-text endpoint from unauthenticated users. Additionally, review and strengthen the application's overall authentication and authorization mechanisms. Monitor server logs for suspicious file upload activity, particularly requests originating from unknown or unauthorized sources.
Update the lollms library to a version later than 2.2.0. This will fix the unauthenticated file upload vulnerability in the `/api/files/extract-text` endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-0558 is a vulnerability in lollms versions up to 2.2.0 that allows unauthenticated users to upload and process files, potentially leading to DoS and information disclosure.
You are affected if you are running lollms version 2.2.0 or earlier. Verify your version and upgrade immediately.
Upgrade lollms to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to block unauthenticated access to the /api/files/extract-text endpoint.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation makes it a potential target.
Refer to the lollms project's official repository and security announcements for the latest information: [https://github.com/parisneo/lollms](https://github.com/parisneo/lollms)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.