Description
A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.
Published: 2026-04-10
Score: 9.6 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Client‑side code execution (Stored XSS)
Action: Immediate Patch
AI Analysis

Impact

A stored cross‑site scripting flaw was discovered in the social module of lollms. The create_post routine saves user input directly into the database without sanitization, allowing an attacker to embed malicious JavaScript that is later rendered in the browsers of anyone who views the home feed, including administrators. This enables session hijacking, account takeover and potentially wormable attacks, as the injected script runs with the privileges of the victim user. The weakness aligns with CWE‑79.

Affected Systems

The vulnerability affects the lollms application developed by parisneo. Any installation of the product with a version earlier than 2.2.0 is impacted. Updates to version 2.2.0 and onward contain the fix.

Risk and Exploitability

The CVSS score of 9.6 signals a very high severity, reflecting the extensive impact on confidentiality, integrity, and availability of user sessions. Although EPSS data is unavailable, the clear attack path—an attacker creating a post that gets stored and later viewed—suggests that exploitation is straightforward for authenticated users. The vulnerability is not listed in CISA’s KEV catalog, but its high score and the ability to self‑propagate make it a critical risk for exposed installations.

Generated by OpenCVE AI on April 10, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade lollms to version 2.2.0 or later.

Generated by OpenCVE AI on April 10, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Parisneo
Parisneo lollms
Vendors & Products Parisneo
Parisneo lollms

Fri, 10 Apr 2026 07:00:00 +0000

Type Values Removed Values Added
Description A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.
Title Stored XSS in parisneo/lollms
Weaknesses CWE-79
References
Metrics cvssV3_0

{'score': 9.6, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Parisneo Lollms
cve-icon MITRE

Status: PUBLISHED

Assigner: @huntr_ai

Published:

Updated: 2026-04-10T13:01:44.634Z

Reserved: 2026-01-17T14:34:51.892Z

Link: CVE-2026-1115

cve-icon Vulnrichment

Updated: 2026-04-10T13:01:27.198Z

cve-icon NVD

Status : Received

Published: 2026-04-10T07:16:20.750

Modified: 2026-04-10T13:16:43.970

Link: CVE-2026-1115

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:26:33Z

Weaknesses