CVE-2026-1116

Published: Apr 12, 2026

Modified: Apr 13, 2026

PUBLISHED

CVSS v3.0

8.2

HIGH

Description

A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.

Vendor	Product	Versions
parisneo	parisneo/lollms	affected `unspecified - < 2.2.0`

Weaknesses (CWE)

CWE-79

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

Low

Availability

None

References

https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e

https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2026-1116

Description

Affected Products

Weaknesses (CWE)

CVSS v3.0 Details

References