CVE-2026-1116

Name of the Vulnerable Software and Affected Versions parisneo/lollms versions prior to 2.2.0

Description A Cross-site Scripting (XSS) vulnerability exists in the from dict method of the AppLollmsMessage class. The issue is due to insufficient sanitization or HTML encoding of the content field when processing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads that can execute in the context of another user's browser. Successful exploitation could lead to account takeover or session hijacking.

Recommendations Update to version 2.2.0 or later.