2 matches found
CVE-2026-12228
The CVE describes a stored XSS in parisneo/lollms via POST /api/prompts/share where attacker-controlled prompt_content is saved to DBDirectMessage.content and later rendered with v-html in the DM UI. The frontend regex-based sanitizer fails to fully sanitize HTML, enabling malicious payloads to r...
EUVD-2026-45401
A stored cross-site scripting XSS vulnerability exists in the POST /api/prompts/share endpoint of parisneo/lollms latest version. The endpoint stores attacker-controlled promptcontent into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message DM thread,...