CVE-2026-1163Insufficient Session Expiration in Lollms

CWE-613Insufficient Session Expiration4 documents4 sources
Severity
4.1MEDIUMNVD
EPSS
0.0%
top 86.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Parisneo LollmsLollms
Timeline
PublishedApr 8

Description

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:LExploitability: 0.7 | Impact: 3.4

Affected Packages2 packages

CVEListV5parisneo/parisneo_lollmsunspecifiedlatest
PyPIlollms/lollms11.0.0

🔴Vulnerability Details

2
OSV
parisneo/lollms has an insufficient session expiration vulnerability2026-04-08
GHSA
parisneo/lollms has an insufficient session expiration vulnerability2026-04-08

🕵️Threat Intelligence

1
Wiz
CVE-2026-1163 Impact, Exploitability, and Mitigation Steps | Wiz