EUVD-2026-20030

| CVE-2026-1163 MEDIUM
2026-04-08 @huntr_ai GHSA-8jg2-726g-xh43
4.1
CVSS 3.0
Share

CVSS Vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
Analysis Generated
Apr 08, 2026 - 02:30 vuln.today
EUVD ID Assigned
Apr 08, 2026 - 02:30 euvd
EUVD-2026-20030
CVE Published
Apr 08, 2026 - 02:20 nvd
MEDIUM 4.1

Tags

Information Disclosure

Description

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

Analysis

Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

21
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +20
POC: 0

Share

EUVD-2026-20030 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy