CVE-2026-1115: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in parisneo parisneo/lollms
CVE-2026-1115 is a critical stored Cross-Site Scripting (XSS) vulnerability in the social feature of the parisneo/lollms application prior to version 2. 2. 0. The flaw exists in the create_post function where user input is stored without proper sanitization, allowing malicious JavaScript to be injected and executed in the browsers of users viewing the Home Feed, including administrators. This can lead to severe impacts such as account takeover, session hijacking, and wormable attacks. The vulnerability is resolved in version 2. 2. 0.
AI Analysis
Technical Summary
This vulnerability is a stored XSS (CWE-79) in parisneo/lollms affecting versions before 2.2.0. The issue arises because the create_post function in backend/routers/social/__init__.py assigns user-supplied content directly to the DBPost model without sanitization. As a result, attackers can inject malicious scripts that execute in the context of users viewing the Home Feed, enabling potential account compromise and propagation of attacks. The CVSS 3.0 score is 9.6, indicating critical severity. The vendor fixed this issue in version 2.2.0.
Potential Impact
Exploitation allows attackers to execute arbitrary JavaScript in the browsers of users who view the compromised posts, including administrators. This can lead to account takeover, session hijacking, and the ability to perform wormable attacks that propagate through the user base. The vulnerability affects confidentiality, integrity, and availability of the application and user accounts.
Mitigation Recommendations
Upgrade to parisneo/lollms version 2.2.0 or later, where this vulnerability has been fixed by properly sanitizing user input in the create_post function. Since this is an application-level vulnerability and not a cloud service, applying the official patch is necessary to remediate the risk. Patch status is confirmed fixed in version 2.2.0.
CVE-2026-1115: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in parisneo parisneo/lollms
Description
CVE-2026-1115 is a critical stored Cross-Site Scripting (XSS) vulnerability in the social feature of the parisneo/lollms application prior to version 2. 2. 0. The flaw exists in the create_post function where user input is stored without proper sanitization, allowing malicious JavaScript to be injected and executed in the browsers of users viewing the Home Feed, including administrators. This can lead to severe impacts such as account takeover, session hijacking, and wormable attacks. The vulnerability is resolved in version 2. 2. 0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This vulnerability is a stored XSS (CWE-79) in parisneo/lollms affecting versions before 2.2.0. The issue arises because the create_post function in backend/routers/social/__init__.py assigns user-supplied content directly to the DBPost model without sanitization. As a result, attackers can inject malicious scripts that execute in the context of users viewing the Home Feed, enabling potential account compromise and propagation of attacks. The CVSS 3.0 score is 9.6, indicating critical severity. The vendor fixed this issue in version 2.2.0.
Potential Impact
Exploitation allows attackers to execute arbitrary JavaScript in the browsers of users who view the compromised posts, including administrators. This can lead to account takeover, session hijacking, and the ability to perform wormable attacks that propagate through the user base. The vulnerability affects confidentiality, integrity, and availability of the application and user accounts.
Mitigation Recommendations
Upgrade to parisneo/lollms version 2.2.0 or later, where this vulnerability has been fixed by properly sanitizing user input in the create_post function. Since this is an application-level vulnerability and not a cloud service, applying the official patch is necessary to remediate the risk. Patch status is confirmed fixed in version 2.2.0.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- @huntr_ai
- Date Reserved
- 2026-01-17T14:34:51.892Z
- Cvss Version
- 3.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d8a14c1cc7ad14da9459dd
Added to database: 4/10/2026, 7:05:48 AM
Last enriched: 4/17/2026, 12:30:14 PM
Last updated: 5/25/2026, 9:16:35 AM
Views: 89
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.