A Cross-Site Request Forgery (CSRF) vulnerability in the parisneo/lollms-webui project allows remote malicious users to execute arbitrary code on a victim's system. The vulnerability stems from the `/execute_code` API endpoint, which does not properly validate requests, enabling an malicious user to craft a malicious webpage that, when visited by a victim, submits a form to the victim's local lollms-webui instance to execute arbitrary OS commands. This issue allows malicious users to take full control of the victim's system without requiring direct network access to the vulnerable application.
Vulmon