Stored XSS Vulnerability in Lollms Affecting Parisneo's Social Feature
CVE-2026-1115

9.6CRITICAL

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 10 April 2026

What is CVE-2026-1115?

A Stored Cross-Site Scripting vulnerability exists in the social feature of Lollms. The issue arises from the create_post function, where user-generated content is assigned to the DBPost model without proper sanitization. This flaw permits attackers to inject and store malicious JavaScript, which can be executed in the browsers of users, including administrators, when they view the Home Feed. The implications include potential account takeovers, session hijacking, and propagation of attacks. The vulnerability has been patched in version 2.2.0, making it crucial for users to update their installations.

Affected Version(s)

parisneo/lollms < 2.2.0

References

https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1...

https://github.com/parisneo/lollms/commit/9767b882dbc893c...

CVSS V3.0

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 10, 2026
Vulnerability Reserved
Jan 17, 2026

CVE-2026-1115 Data

JSON