The vulnerability CVE-2026-1116 in parisneo/lollms is a Cross-site Scripting (XSS) issue caused by the lack of sanitization or HTML encoding of the content field in the from_dict method of the AppLollmsMessage class. This allows injection of malicious HTML or JavaScript payloads during deserialization of user-provided data. The CVSS 3.0 score is 8.2, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed. The impact includes potential account takeover and session hijacking. No patch or official remediation level is currently documented, and no known exploits have been observed in the wild.

Successful exploitation can lead to execution of arbitrary scripts in the context of other users' browsers, enabling account takeover, session hijacking, or propagation of wormable attacks. The vulnerability affects confidentiality and integrity with high impact on confidentiality and low impact on integrity. Availability is not impacted.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should exercise caution when handling untrusted input in the affected component. Avoid deserializing untrusted data or implement manual sanitization as a temporary mitigation.