parisneo/lollms anfällig für gespeichertem XSS in der Social-Funktion
Plattform
python
Komponente
lollms
Behoben in
2.2.0
2.2.0
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in lollms, specifically within the social feature. This flaw, present in versions up to 2.1.9, allows attackers to inject and store malicious JavaScript code. Exploitation can lead to severe consequences, including account takeover and session hijacking, affecting users viewing the Home Feed, even administrators. The vulnerability is resolved in version 2.2.0.
Erkenne diese CVE in deinem Projekt
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.
Auswirkungen und Angriffsszenarien
The XSS vulnerability in lollms arises from insufficient sanitization of user-provided content within the create_post function. Attackers can craft malicious JavaScript payloads and inject them into posts. When other users, including administrators, view the Home Feed, this injected script executes within their browsers. This enables attackers to steal session cookies, hijack user accounts, and potentially launch wormable attacks, spreading the malicious code to other users. The severity is amplified by the potential for administrator account compromise, granting attackers control over the entire lollms instance.
Ausnutzungskontext
CVE-2026-1115 was publicly disclosed on 2026-04-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Active campaigns are not confirmed, but the CRITICAL severity warrants immediate attention.
Wer Ist Gefährdetwird übersetzt…
Administrators of lollms instances are particularly at risk due to their elevated privileges. Users who actively participate in the social feature of lollms are also vulnerable, as they may be exposed to malicious JavaScript injected by other users. Shared hosting environments running lollms could be affected if multiple tenants share the same database and one is compromised.
Erkennungsschrittewird übersetzt…
• python / lollms: Examine the backend/routers/social/init.py file for the create_post function and ensure proper sanitization of user input before assigning it to the DBPost model.
• generic web: Monitor access logs for suspicious POST requests to the create_post endpoint containing unusual JavaScript code.
• generic web: Inspect the Home Feed page source code for any unexpected JavaScript code that might have been injected by an attacker.
Angriffszeitlinie
- Disclosure
disclosure
Bedrohungsanalyse
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
Was bedeuten diese Metriken?
- Attack Vector
- Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
- Attack Complexity
- Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
- Privileges Required
- Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
- User Interaction
- Erforderlich — Opfer muss eine Datei öffnen, auf einen Link klicken oder eine Seite besuchen.
- Scope
- Geändert — Angriff kann über die anfällige Komponente hinaus auf andere Systeme übergreifen.
- Confidentiality
- Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
- Integrity
- Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
- Availability
- Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.
Betroffene Software
Schwachstellen-Klassifikation (CWE)
Zeitleiste
- Reserviert
- Veröffentlicht
- EPSS aktualisiert
Mitigation und Workarounds
The primary mitigation for CVE-2026-1115 is to immediately upgrade lollms to version 2.2.0 or later, which contains the necessary sanitization fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in the create_post endpoint. Thoroughly review and sanitize all user-provided input before storing it in the database. After upgrading, confirm the fix by attempting to create a post with a known malicious JavaScript payload and verifying that it is properly sanitized and does not execute when viewing the Home Feed.
So beheben
Aktualisieren Sie auf Version 2.2.0 oder höher, um die XSS-Schwachstelle zu entschärfen. Diese Version behebt das Fehlen der Bereinigung der Benutzereingabe in der Funktion `create_post`, wodurch die Injektion von bösartigem Code in den Home Feed verhindert wird.
CVE-Sicherheitsnewsletter
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
Häufig gestellte Fragenwird übersetzt…
What is CVE-2026-1115 — XSS in lollms ≤2.1.9?
CVE-2026-1115 is a critical Stored Cross-Site Scripting (XSS) vulnerability in lollms versions up to 2.1.9, allowing attackers to inject malicious JavaScript into the social feature.
Am I affected by CVE-2026-1115 in lollms ≤2.1.9?
If you are running lollms version 2.1.9 or earlier, you are vulnerable to this XSS attack. Upgrade to 2.2.0 or later to mitigate the risk.
How do I fix CVE-2026-1115 in lollms ≤2.1.9?
The recommended fix is to upgrade lollms to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
Is CVE-2026-1115 being actively exploited?
While no public exploits have been released, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Where can I find the official lollms advisory for CVE-2026-1115?
Refer to the lollms project's official repository and release notes for the advisory regarding CVE-2026-1115.
Ist dein Projekt betroffen?
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.