CVE-2026-1163

Name of the Vulnerable Software and Affected Versions parisneo/lollms (affected versions not specified)

Description The application does not invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This is due to a lack of logic to reject requests after inactivity and a long default session duration of 31 days. This enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.