Session Expiration Flaw in Parisneo Lollms Application
CVE-2026-1163

4.1MEDIUM

Key Information:

Vendor: Parisneo
Status: Parisneo/lollms
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-1163?

An insufficient session expiration vulnerability in the latest version of the Parisneo Lollms application allows attackers to exploit active sessions after a password reset. This occurs because the application fails to invalidate old session tokens, enabling unauthorized access. The vulnerability is exacerbated by a long default session duration of 31 days and a lack of mechanisms to reject requests after a specified period of inactivity. Consequently, attackers can maintain access to a compromised account even if the legitimate user updates their password.

Affected Version(s)

parisneo/lollms <= unspecified

References

https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565...

CVSS V3.0

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Jan 18, 2026

CVE-2026-1163 Data

JSON