CVE-2026-1115Cross-site Scripting in Lollms

CWE-79Cross-site Scripting3 documents3 sources
Severity
9.6CRITICALNVD
EPSS
0.0%
top 86.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo LollmsLollms
Timeline
PublishedApr 10

Description

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HExploitability: 2.8 | Impact: 6.0

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollmsunspecified2.2.0
PyPIlollms/lollms< 2.2.0

🔴Vulnerability Details

2
GHSA
parisneo/lollms vulnerable to stored XSS in the social feature2026-04-10
VulDB
parisneo lollms up to 2.1.x __init__.py create_post cross site scripting2026-04-10