2.2.0
A Cross-Site Scripting (XSS) vulnerability has been discovered in the lollms project, specifically within the from_dict method of the AppLollmsMessage class. This flaw, present in versions prior to 2.2.0, allows attackers to inject malicious HTML or JavaScript code. Successful exploitation can compromise user accounts and potentially lead to broader security incidents within applications utilizing lollms. The vulnerability is fixed in version 2.2.0.
The XSS vulnerability in lollms arises from insufficient sanitization of the content field when deserializing user-provided data. An attacker can craft a malicious payload containing HTML or JavaScript code and inject it into the application. When another user views the affected content, the injected script executes within their browser context. This can lead to several severe consequences, including session hijacking, account takeover, and potentially wormable attacks where the attacker can spread the malicious code to other users. The impact is particularly significant in environments where lollms is used to process user-generated content or handle sensitive data.
This vulnerability was publicly disclosed on 2026-04-12. No public proof-of-concept (PoC) code has been released at the time of writing, but the nature of XSS vulnerabilities makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog. The potential for widespread exploitation is moderate, given the prevalence of JavaScript-based applications and the ease with which XSS vulnerabilities can be exploited.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1116 is to immediately upgrade to version 2.2.0 or later of lollms. If upgrading is not feasible due to compatibility issues or breaking changes, consider implementing input validation and output encoding on the content field to sanitize user-provided data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update input validation routines to prevent similar vulnerabilities in the future. After upgrade, confirm by testing the application with various input scenarios to ensure the vulnerability is no longer exploitable.
Update to version 2.2.0 or later to mitigate the XSS vulnerability. This update includes proper sanitization or HTML encoding of user-provided data in the 'content' field to prevent malicious code injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1116 is a Cross-Site Scripting (XSS) vulnerability in the lollms project, affecting versions before 2.2.0. It allows attackers to inject malicious scripts through the content field during deserialization.
You are affected if you are using lollms version prior to 2.2.0 and have not implemented proper input sanitization.
Upgrade to version 2.2.0 or later of lollms. If upgrading is not possible, implement input validation and output encoding on the content field.
While no public exploits are currently known, the vulnerability's nature suggests it could be exploited, and monitoring is advised.
Refer to the lollms project's official repository or website for the advisory related to CVE-2026-1116.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.