CVE-2026-1115

CRITICAL 9.6

Stored XSS in parisneo/lollms

CVSS Score

9.6

EPSS Score

0.0%

EPSS Percentile

0th

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.

CWE	CWE-79
Vendor	parisneo
Product	parisneo/lollms
Published	Apr 10, 2026
Last Updated	Apr 10, 2026

Stay Ahead of the Next One

Get instant alerts for parisneo parisneo/lollms

Be the first to know when new critical vulnerabilities affecting parisneo parisneo/lollms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Versions

parisneo / parisneo/lollms

unspecified < 2.2.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

huntr.com: https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa github.com: https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a