Home / Vulnerability Intelligence / CVE-2026-1115

CVE-2026-1115 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: April 10, 2026

parisneo/lollms - Stored XSS

Published: April 10, 2026Updated: April 10, 2026Remote Exploitable

Overview

parisneo/lollms < 2.2.0 contains a stored XSS caused by unsanitized user input in create_post function in backend/routers/social/__init__.py, letting attackers inject malicious scripts executed in user browsers, exploit requires crafted post submission.

Severity & Score

Severity: Critical

CVSS Score: 9.6

Impact

Attackers can execute malicious scripts in user browsers, leading to account takeover, session hijacking, and wormable attacks.

Mitigation

Update to version 2.2.0 or later.

References

https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a
https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-1115
Severity: Critical
CVSS Score: 9.6
Type: stored_xss
Status: new

CWE

CWE-79

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H