Vulnerability Description
A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Lollms | Lollms | <= 2.1.0 |
Related Weaknesses (CWE)
References
- https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b829Patch
- https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788eExploitThird Party Advisory
FAQ
What is CVE-2026-1116?
CVE-2026-1116 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of...
How severe is CVE-2026-1116?
CVE-2026-1116 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-1116?
Check the references section above for vendor advisories and patch information. Affected products include: Lollms Lollms.