CRITICAL🇵🇱 Wersja polska

CVE-2026-1115

CVSS 9.6v3.0pub. 2026-04-10upd. 2026-04-16

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  • Lollms

    APP
    Lollms
    ≤ 2.1.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
XSS
CWE
References

Related vulnerabilities

CVE-2026-1114CRITICAL9.8PL ✓ten sam produkt

Słaby klucz JWT umożliwia privilege escalation w parisneo/lollms

CVE-2026-0558CRITICAL9.8PL ✓ten sam produkt

Brak uwierzytelnienia w endpoint /api/files/extract-text w Lollms

CVE-2024-3429CRITICAL9.8PL ✓ten sam produkt

Path Traversal w lollms — nieautoryzowany odczyt plików na Windows

CVE-2026-0560HIGH7.5ten sam produkt

A Server-Side Request Forgery (SSRF) vulnerability exists in parisneo/lollms versions prior to 2.2.0, specific...

CVE-2026-0562HIGH8.3ten sam produkt

A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to acc...