LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-1116

CVE-2026-1116 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 12, 2026

parisneo/lollms - Stored XSS

Published: April 12, 2026Updated: April 12, 2026Remote Exploitable

Overview

parisneo/lollms < 2.2.0 contains a stored XSS caused by lack of sanitization in the from_dict method of AppLollmsMessage class, letting attackers inject malicious scripts executed in other users' browsers, exploit requires user interaction.

Severity & Score

Severity: High
CVSS Score: 8.2
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute malicious scripts in users' browsers, leading to account takeover, session hijacking, or wormable attacks.

Mitigation

Update to version 2.2.0 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 12, 2026

šŸŸ  CVE-2026-1116 - High (8.2) A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content`... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-1116/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 12, 2026

šŸšØ HIGH severity XSS (CVE-2026-1116) in parisneo/lollms pre-2.2.0: Improper input sanitization in from_dict allows attackers to inject malicious scripts. Update ASAP! https://radar.offseq.com/threat/cve-2026-1116-cwe-79-improper-neutralization-of-in-c711f067 #OffSeq #XSS #Vuln #InfoSec

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 12, 2026

šŸŸ  CVE-2026-1116 - High (8.2) A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content`... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-1116/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 12, 2026

šŸšØ HIGH severity XSS (CVE-2026-1116) in parisneo/lollms pre-2.2.0: Improper input sanitization in from_dict allows attackers to inject malicious scripts. Update ASAP! https://radar.offseq.com/threat/cve-2026-1116-cwe-79-improper-neutralization-of-in-c711f067 #OffSeq #XSS #Vuln #InfoSec

View original post

Related Resources

Details

CVE ID
CVE-2026-1116
Severity
High
CVSS Score
8.2
Type
stored_xss
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-79

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days