Plattform
javascript
Komponente
lollms
Behoben in
2.2.0
A Cross-Site Scripting (XSS) vulnerability has been identified in parisneo/lollms versions before 2.2.0. This flaw stems from insufficient sanitization of the 'content' field within the AppLollmsMessage class's from_dict method. Successful exploitation allows attackers to inject malicious scripts, potentially compromising user accounts and system integrity. The vulnerability is fixed in version 2.2.0.
The XSS vulnerability in lollms allows an attacker to inject arbitrary HTML or JavaScript code into the application. This code will then be executed in the context of another user's browser when they view the affected page. The impact can be severe, ranging from simple defacement to complete account takeover. An attacker could steal session cookies, redirect users to malicious websites, or even execute arbitrary code on the user's machine. The wormable nature of XSS means that the attack can spread to other users who interact with the compromised application, amplifying the impact significantly.
This vulnerability was publicly disclosed on 2026-04-12. There is currently no indication of active exploitation campaigns targeting lollms. The availability of a public CVE suggests that security researchers have identified and reported the vulnerability. No KEV listing is present at this time. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation associated with XSS vulnerabilities.
Applications that utilize lollms to process user-generated content or handle sensitive data are at significant risk. This includes web applications, chatbots, and any system where user input is deserialized and displayed without proper sanitization. Developers using older versions of lollms and those who haven't implemented robust input validation routines are particularly vulnerable.
• javascript: Inspect application code for instances where AppLollmsMessage objects are deserialized from user input without proper sanitization. Search for the from_dict method and its usage.
• generic web: Monitor web application logs for suspicious JavaScript execution patterns or unusual HTML content. Look for patterns indicative of XSS payloads.
• generic web: Use browser developer tools to inspect the DOM for unexpected script tags or HTML elements that could indicate XSS exploitation.
disclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-1116 is to upgrade lollms to version 2.2.0 or later, which includes the necessary sanitization fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter potentially malicious input in the 'content' field. Specifically, look for patterns indicative of HTML or JavaScript injection attempts. Input validation on the server-side, restricting the allowed characters and length of the 'content' field, can also provide a temporary layer of defense. After upgrading, verify the fix by attempting to inject a simple XSS payload (e.g., <script>alert(1)</script>) into the 'content' field and confirming that it is not executed.
Actualice a la versión 2.2.0 o posterior para mitigar la vulnerabilidad XSS. Esta actualización incluye la sanitización o codificación HTML adecuada de los datos proporcionados por el usuario en el campo 'content' para prevenir la inyección de código malicioso.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-1116 is a Cross-Site Scripting (XSS) vulnerability in the lollms project, affecting versions before 2.2.0. It allows attackers to inject malicious scripts through the content field during deserialization.
You are affected if you are using lollms version prior to 2.2.0 and have not implemented proper input sanitization.
Upgrade to version 2.2.0 or later of lollms. If upgrading is not possible, implement input validation and output encoding on the content field.
While no public exploits are currently known, the vulnerability's nature suggests it could be exploited, and monitoring is advised.
Refer to the lollms project's official repository or website for the advisory related to CVE-2026-1116.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.