Platform
python
Component
lollms
Fixed in
2.2.0
2.2.0
A Stored Cross-Site Scripting (XSS) vulnerability has been identified in lollms, a Python-based language model project, affecting versions up to and including 2.1.9. This vulnerability resides within the social feature, allowing attackers to inject and store malicious JavaScript. Successful exploitation can lead to account takeover, session hijacking, and potentially wormable attacks, impacting administrators and other users viewing the Home Feed.
The XSS vulnerability in lollms allows attackers to inject arbitrary JavaScript code into the application. This code is then executed in the browsers of users who view the Home Feed, including administrators. An attacker could leverage this to steal session cookies, allowing them to impersonate legitimate users and gain unauthorized access to sensitive data and functionality. The wormable nature of the attack suggests that an attacker could potentially spread the malicious code to other users through the social feature, amplifying the impact. The direct assignment of user-provided content to the DBPost model without sanitization is the root cause, making it relatively straightforward to exploit.
CVE-2026-1115 was publicly disclosed on 2026-04-10. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and severity suggest a high probability of exploitation. The CVSS score of 9.6 (CRITICAL) reflects the significant risk posed by this vulnerability. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.05% (15% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1115 is to upgrade lollms to version 2.2.0 or later, which includes a fix for the vulnerability. If an immediate upgrade is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter out potentially malicious JavaScript payloads in the create_post endpoint. Additionally, carefully review and sanitize all user-provided input before storing it in the database. Regularly scan the application for XSS vulnerabilities using automated tools.
Update to version 2.2.0 or later to mitigate the XSS vulnerability. This version corrects the lack of sanitization of user input in the `create_post` function, preventing the injection of malicious code into the home feed.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1115 is a critical Stored Cross-Site Scripting (XSS) vulnerability in lollms versions up to 2.1.9, allowing attackers to inject malicious JavaScript into the social feature.
If you are running lollms version 2.1.9 or earlier, you are vulnerable to this XSS attack. Upgrade to 2.2.0 or later to mitigate the risk.
The recommended fix is to upgrade lollms to version 2.2.0 or later. As a temporary workaround, implement a WAF rule to filter malicious JavaScript.
While no public exploits have been released, the vulnerability's severity and ease of exploitation suggest a high probability of active exploitation.
Refer to the lollms project's official repository and release notes for the advisory regarding CVE-2026-1115.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.