CVE-2026-1115

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0

Description A Stored Cross-Site Scripting (XSS) vulnerability exists in the social feature of parisneo/lollms. The vulnerability is located in the create post function within backend/routers/social/ init .py, where user-provided content is directly assigned to the DBPost model without proper sanitization. This allows attackers to inject malicious JavaScript that is executed in the browsers of users viewing the Home Feed, potentially leading to account takeover, session hijacking, and wormable attacks.

Recommendations Upgrade to version 2.2.0 to resolve the vulnerability.