Plattform
python
Komponente
lollms
Behoben in
2.2.0
2.2.0
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in lollms, specifically within the social feature. This flaw, present in versions up to 2.1.9, allows attackers to inject and store malicious JavaScript code. Exploitation can lead to severe consequences, including account takeover and session hijacking, affecting users viewing the Home Feed, even administrators. The vulnerability is resolved in version 2.2.0.
The XSS vulnerability in lollms arises from insufficient sanitization of user-provided content within the create_post function. Attackers can craft malicious JavaScript payloads and inject them into posts. When other users, including administrators, view the Home Feed, this injected script executes within their browsers. This enables attackers to steal session cookies, hijack user accounts, and potentially launch wormable attacks, spreading the malicious code to other users. The severity is amplified by the potential for administrator account compromise, granting attackers control over the entire lollms instance.
CVE-2026-1115 was publicly disclosed on 2026-04-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's ease of exploitation suggests a high probability of exploitation. It is not currently listed on the CISA KEV catalog. Active campaigns are not confirmed, but the CRITICAL severity warrants immediate attention.
Administrators of lollms instances are particularly at risk due to their elevated privileges. Users who actively participate in the social feature of lollms are also vulnerable, as they may be exposed to malicious JavaScript injected by other users. Shared hosting environments running lollms could be affected if multiple tenants share the same database and one is compromised.
• python / lollms: Examine the backend/routers/social/init.py file for the create_post function and ensure proper sanitization of user input before assigning it to the DBPost model.
• generic web: Monitor access logs for suspicious POST requests to the create_post endpoint containing unusual JavaScript code.
• generic web: Inspect the Home Feed page source code for any unexpected JavaScript code that might have been injected by an attacker.
disclosure
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-1115 is to immediately upgrade lollms to version 2.2.0 or later, which contains the necessary sanitization fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in the create_post endpoint. Thoroughly review and sanitize all user-provided input before storing it in the database. After upgrading, confirm the fix by attempting to create a post with a known malicious JavaScript payload and verifying that it is properly sanitized and does not execute when viewing the Home Feed.
Aktualisieren Sie auf Version 2.2.0 oder höher, um die XSS-Schwachstelle zu entschärfen. Diese Version behebt das Fehlen der Bereinigung der Benutzereingabe in der Funktion `create_post`, wodurch die Injektion von bösartigem Code in den Home Feed verhindert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1115 is a critical Stored Cross-Site Scripting (XSS) vulnerability in lollms versions up to 2.1.9, allowing attackers to inject malicious JavaScript into the social feature.
If you are running lollms version 2.1.9 or earlier, you are vulnerable to this XSS attack. Upgrade to 2.2.0 or later to mitigate the risk.
The recommended fix is to upgrade lollms to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
While no public exploits have been released, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the lollms project's official repository and release notes for the advisory regarding CVE-2026-1115.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.