VYPR
Critical severity9.6NVD Advisory· Published Apr 10, 2026· Updated Apr 16, 2026

CVE-2026-1115

CVE-2026-1115

Description

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the create_post function within backend/routers/social/__init__.py, where user-provided content is directly assigned to the DBPost model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
lollmsPyPI
< 2.2.02.2.0

Affected products

2

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.