311 matches found
CVE-2026-1116
A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...
CVE-2026-1116 Cross-site Scripting (XSS) in parisneo/lollms
A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...
CVE-2026-1116
A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...
CVE-2026-1116
CVE-2026-1116 affects parisneo/lollms, specifically the AppLollmsMessage.from_dict deserialization path. The issue arises from insufficient sanitization/HTML encoding of the content field when processing user-provided data, leading to a Cross-site Scripting (XSS) vulnerability in versions prior t...
CVE-2026-1116 Cross-site Scripting (XSS) in parisneo/lollms
A Cross-site Scripting XSS vulnerability was identified in the fromdict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows a...
PT-2026-32142
A Cross-site Scripting XSS vulnerability was identified in the from dict method of the AppLollmsMessage class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the content field when deserializing user-provided data. This allows ...
PT-2026-32123
I found a Content-Type spoofing vulnerability in the image upload functionality of parisneo/lollms CVE-2026-5728. https://t.co/grkXMU7v9I security websecurity infosec appsec cve python bugbounty...
GHSA-8WRQ-FV5F-PFP2 parisneo/lollms vulnerable to stored XSS in the social feature
A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...
CVE-2026-1115
CVE-2026-1115 affects parisneo/lollms prior to 2.2.0. A Stored XSS in create_post allows user-supplied content to be stored in DBPost and later rendered in the Home Feed, potentially executing in victims’ browsers and affecting administrators. Affected component: backend/routers/social/init .py. ...
CVE-2026-1115 Stored XSS in parisneo/lollms
A Stored Cross-Site Scripting XSS vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the createpost function within backend/routers/social/init.py, where user-provided content is directly assigned to the...
GHSA-8JG2-726G-XH43 parisneo/lollms has an insufficient session expiration vulnerability
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
CVE-2026-1163
CVE-2026-1163 describes an insufficient session expiration in the latest version of parisneo/lollms, where active sessions are not invalidated after a password reset due to missing logic to reject idle requests and a default 31-day session duration. This enables a compromised account to retain ac...
EUVD-2026-20030
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
CVE-2026-1163 Insufficient Session Expiration in parisneo/lollms
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
PT-2026-31070
An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...
CVE-2026-1114
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
CVE-2026-0562
A critical security vulnerability in parisneo/lollms versions up to 2.2.0 allows any authenticated user to accept or reject friend requests belonging to other users. The respondrequest function in backend/routers/friends.py does not implement proper authorization checks, enabling Insecure Direct...
CVE-2026-0560
A Server-Side Request Forgery SSRF vulnerability exists in parisneo/lollms versions prior to 2.2.0, specifically in the /api/files/export-content endpoint. The downloadimagetotemp function in backend/routers/files.py fails to validate user-controlled URLs, allowing attackers to make arbitrary HTT...