Stored Cross-Site Scripting Vulnerability in Lollms by Parisneo
CVE-2026-12228
What is CVE-2026-12228?
A stored cross-site scripting vulnerability exists in the POST /api/prompts/share endpoint of the Lollms product by Parisneo. This issue arises due to the storage of unvalidated attacker-controlled content in a database field without proper server-side sanitization. When an unsuspecting user accesses the direct message thread containing this content, the message is rendered unsafely using a frontend renderer that employs regex for sanitization. This approach does not adequately cleanse the HTML, allowing the execution of malicious scripts in the victim's browser. Consequently, the attacker can send harmful JavaScript payloads that may lead to unauthorized actions within the victim's session, compromise sensitive data, and potentially enable account takeover.
Affected Version(s)
parisneo/lollms <= unspecified
