{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1115", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-17T14:34:51.892Z", "datePublished": "2026-04-10T06:23:13.463Z", "dateUpdated": "2026-04-10T06:23:13.463Z"}, "containers": {"cna": {"title": "Stored XSS in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-10T06:23:13.463Z"}, "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "lessThan": "2.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa"}, {"url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "source": {"advisory": "099aa4fe-7165-4337-889c-3fb4f1aa71aa", "discovery": "EXTERNAL"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0."}], "id": "CVE-2026-1115", "lastModified": "2026-04-10T07:16:20.750", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2026-04-10T07:16:20.750", "references": [{"source": "security@huntr.dev", "url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@huntr.dev", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "parisneo/lollms", "source": "cna", "vendor": "parisneo"}, "product": "lollms", "vendor": "parisneo"}], "analysis": {"en": {"generated_at": "2026-04-10T08:21:58.119422+00:00", "value": {"mitigation_remediation": ["Upgrade lollms to version 2.2.0 or later."], "summary": {"action": "Immediate Patch", "impact": "Client\u2011side code execution (Stored XSS)"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the lollms application developed by parisneo. Any installation of the product with a version earlier than 2.2.0 is impacted. Updates to version 2.2.0 and onward contain the fix.", "description_and_impact": "A stored cross\u2011site scripting flaw was discovered in the social module of lollms. The create_post routine saves user input directly into the database without sanitization, allowing an attacker to embed malicious JavaScript that is later rendered in the browsers of anyone who views the home feed, including administrators. This enables session hijacking, account takeover and potentially wormable attacks, as the injected script runs with the privileges of the victim user. The weakness aligns with CWE\u201179.", "risk_and_exploitability": "The CVSS score of 9.6 signals a very high severity, reflecting the extensive impact on confidentiality, integrity, and availability of user sessions. Although EPSS data is unavailable, the clear attack path\u2014an attacker creating a post that gets stored and later viewed\u2014suggests that exploitation is straightforward for authenticated users. The vulnerability is not listed in CISA\u2019s KEV catalog, but its high score and the ability to self\u2011propagate make it a critical risk for exposed installations."}}}}, "created": "2026-04-10T08:35:32.210748+00:00", "updated": "2026-04-10T09:26:33.426744+00:00", "vendors": ["parisneo", "parisneo$PRODUCT$lollms"]}