Cross-site Scripting Vulnerability in AppLollmsMessage Class by Parisneo
CVE-2026-1116

8.2HIGH

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 12 April 2026

What is CVE-2026-1116?

A vulnerability exists in the from_dict method of the AppLollmsMessage class in the lollms product. It stems from inadequate sanitization or HTML encoding of the content field during the deserialization of user-supplied data. This weakness allows attackers to inject malicious HTML or JavaScript, enabling them to execute payloads in the context of another user's browser. Potential exploitation can result in severe consequences, including account takeovers, session hijacking, and even wormable attacks.

Affected Version(s)

parisneo/lollms < 2.2.0

References

https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e...

https://github.com/parisneo/lollms/commit/9767b882dbc893c...

CVSS V3.0

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 12, 2026
Vulnerability Reserved
Jan 17, 2026

CVE-2026-1116 Data

JSON