The Web UI of llama-server accepts a query parameter (?q=...) as an initial user message in a new conversation and auto-submits this message without CSRF protection. An attacker can craft a malicious link to trigger arbitrary initial messages. If tool execution is enabled and the user has configured tools to execute without confirmation, this can lead to arbitrary shell command execution, data exfiltration, or other malicious actions.
| Vendor | Product | Versions |
|---|---|---|
| llama.cpp | llama.cpp | b1003 and earlier |