CVE-2026-1116
Received Received - Intake
Cross-site Scripting in parisneo/lollms `from_dict` Enables Account Hijack

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: huntr.dev

Description
A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1116
EUVD
EUVD-2026-21692
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
lollms lollms to 2.1.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-site Scripting (XSS) issue found in the `from_dict` method of the `AppLollmsMessage` class in the parisneo/lollms software before version 2.2.0.

It occurs because the `content` field is not properly sanitized or HTML encoded when user-provided data is deserialized. This allows attackers to inject malicious HTML or JavaScript code.

When executed in another user's browser, this malicious code can perform harmful actions such as stealing session information or taking over user accounts.

Impact Analysis

Exploitation of this vulnerability can lead to serious security impacts including account takeover and session hijacking.

Additionally, the vulnerability is wormable, meaning it can propagate itself from one user to another, potentially causing widespread compromise.

Mitigation Strategies

To mitigate this vulnerability, upgrade parisneo/lollms to version 2.2.0 or later, where the issue in the from_dict method of the AppLollmsMessage class has been fixed by properly sanitizing or HTML encoding the content field.

Compliance Impact

The vulnerability is a Cross-site Scripting (XSS) issue that allows attackers to inject malicious scripts, potentially leading to account takeover and session hijacking.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access to personal or sensitive data, violating data protection and privacy requirements.

However, the provided information does not explicitly describe the direct effects on compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1116. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart