Stored Cross-Site Scripting Vulnerability in Lollms by Parisneo
CVE-2026-12228

8.7HIGH

Key Information:

Vendor

Parisneo

Vendor
CVE Published:
18 July 2026

What is CVE-2026-12228?

A stored cross-site scripting vulnerability exists in the POST /api/prompts/share endpoint of the Lollms product by Parisneo. This issue arises due to the storage of unvalidated attacker-controlled content in a database field without proper server-side sanitization. When an unsuspecting user accesses the direct message thread containing this content, the message is rendered unsafely using a frontend renderer that employs regex for sanitization. This approach does not adequately cleanse the HTML, allowing the execution of malicious scripts in the victim's browser. Consequently, the attacker can send harmful JavaScript payloads that may lead to unauthorized actions within the victim's session, compromise sensitive data, and potentially enable account takeover.

Affected Version(s)

parisneo/lollms <= unspecified

References

CVSS V3.0

Score:
8.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.