Parisneo - Parisneo/lollms-webui - CRITICAL - CVE-2024-2356. A Local File Inclusion (LFI) vulnerability has been identified in the '/reinstall_extension' endpoint of the parisneo/lollms-webui application. This issue arises when a malicious `name` parameter is injected, allowing the server to load and execute arbitrary Python files from the upload directory, potentially leading to Remote Code Execution (RCE). The vulnerability stems from insecurely concatenating `data.name` with `lollmsElfServer.lollms_paths.extensions_zoo_path`, which is then used in the `ExtensionBuilder().build_extension()` call. The flawed handling of Python files, particularly the `__init__.py` file, may facilitate unauthorized code execution, especially when the application runs in headless mode or binds to `0.0.0.0`. Notably, exploitation does not require user interaction, making it crucial for users of this application to assess their security posture.