Skip to main content

Parisneo Lollms

4 CVEs product

Monthly

CVE-2026-1116 PyPI MEDIUM PATCH This Month

Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported v

XSS Parisneo Lollms
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-1115 PyPI CRITICAL PATCH GHSA Act Now

Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.

XSS Parisneo Lollms
NVD GitHub
CVSS 3.0
9.6
EPSS
0.0%
CVE-2026-1163 PyPI MEDIUM GHSA This Month

Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.

Information Disclosure Parisneo Lollms
NVD
CVSS 3.0
4.1
EPSS
0.0%
CVE-2026-1114 PyPI CRITICAL PATCH GHSA Act Now

Weak JWT secret key in LoLLMs 2.1.0 enables offline brute-force recovery, allowing remote unauthenticated attackers to forge administrative tokens and bypass authentication completely. Attackers can escalate privileges to administrator, impersonate legitimate users, and access all restricted endpoints without prior authentication. EPSS probability is low (0.04%, 14th percentile) suggesting limited widespread exploitation interest, though a proof-of-concept exists and SSVC classifies the vulnerability as automatable with total technical impact. Fixed in version 2.2.0 via commit a3b2b82b84.

Authentication Bypass Parisneo Lollms
NVD GitHub
CVSS 3.0
9.8
EPSS
0.0%
EPSS 0% CVSS 6.1
MEDIUM PATCH This Month

Cross-site scripting in parisneo/lollms prior to version 2.2.0 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim browsers via malicious HTML payloads injected through the unsanitized `content` field in the `AppLollmsMessage.from_dict` deserialization method. The changed scope (CVSS S:C) indicates impact beyond the vulnerable component, enabling session hijacking, account takeover, and potentially wormable attacks. Publicly available exploit code exists (reported v

XSS Parisneo Lollms
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

Stored cross-site scripting in parisneo/lollms versions prior to 2.2.0 enables unauthenticated attackers to inject malicious JavaScript through unsanitized social post content in the create_post function. Injected scripts execute in victims' browsers when viewing the Home Feed, enabling account takeover, session hijacking, and wormable propagation across the platform. The CVSS vector indicates network-accessible exploitation requiring user interaction, with scope change allowing cross-domain impact. No public exploit identified at time of analysis, but low attack complexity increases weaponization risk.

XSS Parisneo Lollms
NVD GitHub
EPSS 0% CVSS 4.1
MEDIUM This Month

Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.

Information Disclosure Parisneo Lollms
NVD
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Weak JWT secret key in LoLLMs 2.1.0 enables offline brute-force recovery, allowing remote unauthenticated attackers to forge administrative tokens and bypass authentication completely. Attackers can escalate privileges to administrator, impersonate legitimate users, and access all restricted endpoints without prior authentication. EPSS probability is low (0.04%, 14th percentile) suggesting limited widespread exploitation interest, though a proof-of-concept exists and SSVC classifies the vulnerability as automatable with total technical impact. Fixed in version 2.2.0 via commit a3b2b82b84.

Authentication Bypass Parisneo Lollms
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy