CVE-2026-1115
published 2026-04-10CVE-2026-1115: A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The…
PriorityP343critical9.6CVSS 3.0
AVNACLPRNUIRSCCHIHAH
EPSS
0.40%
32.3th percentile
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| lollms | lollms | <= 2.1.0 | — |
| lollms | lollms | >= 0 < 2.2.0 | 2.2.0 |
| parisneo | parisneo_lollms | >= unspecified < 2.2.0 | 2.2.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
parisneo/lollms vulnerable to stored XSS in the social feature
ghsa·2026-04-10
CVE-2026-1115 [CRITICAL] CWE-79 parisneo/lollms vulnerable to stored XSS in the social feature
parisneo/lollms vulnerable to stored XSS in the social feature
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.
VulDB
parisneo lollms up to 2.1.x __init__.py create_post cross site scripting
vuldb·2026-04-10·CVSS 9.6
CVE-2026-1115 [CRITICAL] parisneo lollms up to 2.1.x __init__.py create_post cross site scripting
A vulnerability labeled as problematic has been found in parisneo lollms up to 2.1.x. This issue affects the function create_post of the file backend/routers/social/__init__.py. Executing a manipulation can lead to cross site scripting.
This vulnerability is registered as CVE-2026-1115. It is possible to launch the attack remotely. No exploit is available.
The affected component should be upgraded.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-10
Published