AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2024-4839: A Cross-Site Request Forgery (CSRF) vulnerability exists in the 'Servers Configurations' function of the parisneo/lollms

lowvulnerability

security

Source: NVD/CVE DatabaseJune 24, 2024CVE-2024-4839

Summary

A CSRF vulnerability (cross-site request forgery, where an attacker tricks a user's browser into making unwanted requests on their behalf) exists in the 'Servers Configurations' function of parisneo/lollms-webui versions 9.6 and later, affecting services like XTTS and vLLM that lack CSRF protection. Attackers can exploit this to deceive users into installing unwanted packages without their knowledge or consent.

Vulnerability Details

CVSS Score

3.3(low)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

integrity

AI Component TargetedAPI

Taxonomy References

CWE (Weakness Type)

CWE-352

Affected Vendors

LlamaIndex

Related Issues

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

Similar attackNVD/CVE Database

critical

CVE-2026-22252: LibreChat is a ChatGPT clone with additional features. Prior to v0.8.2-rc2, LibreChat's MCP stdio transport accepts arbi

First tracked: February 15, 2026 at 08:44 PM

Classified by LLM (prompt v3) · confidence: 85%