Home / Vulnerability Intelligence / CVE-2026-33340

CVE-2026-33340 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 25, 2026

LoLLMs WEBUI - Server-Side Request Forgery

Published: March 24, 2026Updated: March 25, 2026Remote Exploitable

Overview

LoLLMs WEBUI contains a server-side request forgery caused by unauthenticated access to the /api/proxy endpoint, letting attackers force the server to make arbitrary GET requests, exploit requires no authentication.

Severity & Score

Severity: Critical

CVSS Score: 9.1

EPSS Score: 4.4%(Probability of exploitation in next 30 days)

Impact

Attackers can access internal services, scan local networks, or exfiltrate sensitive cloud metadata, potentially leading to data exposure and further compromise.

Mitigation

Update to a patched version once available or apply mitigations to restrict server-side requests.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 24, 2026

🔴 CVE-2026-33340 - Critical (9.1) LoLLMs WEBUI provides the Web user interface for Lord of Large Language and Multi modal Systems. A critical Server-Side Request Forgery (SSRF) vulnerability has been identified in all known existing versions of `lollms-webui`. The `@router.post("/... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-33340/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-33340
Severity: Critical
CVSS Score: 9.1
Type: server_side_request_forgery
Status: unconfirmed
EPSS: 4.4%
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

4.4%Probability of exploitation in the next 30 days