CVE-2026-1115: lollms: Stored XSS enables wormable account takeover

GHSA-8wrq-fv5f-pfp2 CRITICAL CISA: ATTEND
Published April 10, 2026
CISO Take

A stored XSS vulnerability in lollms' social feature allows any unauthenticated user to inject persistent JavaScript into the Home Feed by posting unsanitized content, which executes in the browsers of every viewer — including administrators. With a CVSS of 9.6 and a wormable attack vector, a single malicious post can chain into full admin account takeover and cascade to every user who loads the feed; lollms has 8 prior CVEs in the same package, signaling a pattern of insufficient input validation in this codebase. No public exploit or CISA KEV listing yet, but the trivial exploitation barrier and admin impact make this high-priority. Upgrade to lollms 2.2.0 immediately; if upgrade is not possible, disable or restrict the social/post feature at the application or network level until patched.

Sources: NVD GitHub Advisory ATLAS huntr.com

What is the risk?

Critical risk. CVSS 9.6 reflects network-accessible, low-complexity exploitation with no privileges required and high confidentiality/integrity/availability impact. The wormable nature — where a single injected post can harvest admin credentials and propagate — significantly multiplies blast radius beyond a typical stored XSS. lollms is a self-hosted AI UI platform commonly deployed by teams with internal access to LLM backends, model configs, and sensitive data. Compromise of an admin session gives attackers full control over the AI system, including model parameters, API keys, and user data. The pattern of 8 prior CVEs in this package lowers confidence in overall code quality.

How does the attack unfold?

Initial Access
Attacker registers or uses an existing low-privilege account on a lollms instance and submits a social post containing a JavaScript payload via the create_post API endpoint.
AML.T0049
Persistence via Storage
The malicious payload is stored unsanitized in the database through the DBPost model, persisting until an admin manually removes it.
Execution on Victim Browser
Any user — including admins — who loads the Home Feed triggers browser execution of the stored JavaScript without any further attacker interaction.
AML.T0011
Impact: Session Hijack & Worm
Admin session cookie is exfiltrated to attacker infrastructure; attacker gains full platform control and can modify existing posts to propagate the payload wormably to all remaining users.
AML.T0012

What systems are affected?

Package Ecosystem Vulnerable Range Patched
LoLLMs pip < 2.2.0 2.2.0
85 Pushed 9d ago 40% patched ~24d to patch Full package profile →

Do you use LoLLMs? You're affected.

How severe is it?

CVSS 3.1
9.6 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 33% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI Required
S Changed
C High
I High
A High

What should I do?

4 steps
  1. Patch: Upgrade lollms to version 2.2.0 immediately — the fix implements input sanitization in the create_post function.

  2. Workaround (if patching is blocked): Disable the social/post feature at the application level or restrict access to the Home Feed endpoint via network policy.

  3. Detection: Review server-side logs for unusual POST requests to the social create_post endpoint containing HTML/script tags; audit existing posts in the database for stored payloads (search DBPost content for '<script', 'javascript:', 'onerror=', 'onload=').

  4. Post-incident: If compromise is suspected, invalidate all active sessions, rotate any API keys or credentials accessible from the admin panel, and review access logs for unauthorized configuration changes.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
A.6.2.6 - Secure Development — Application Security
NIST AI RMF
MANAGE-2.2 - Manage AI Risks — Vulnerability Treatment
OWASP LLM Top 10
LLM02 - Insecure Output Handling

Frequently Asked Questions

What is CVE-2026-1115?

A stored XSS vulnerability in lollms' social feature allows any unauthenticated user to inject persistent JavaScript into the Home Feed by posting unsanitized content, which executes in the browsers of every viewer — including administrators. With a CVSS of 9.6 and a wormable attack vector, a single malicious post can chain into full admin account takeover and cascade to every user who loads the feed; lollms has 8 prior CVEs in the same package, signaling a pattern of insufficient input validation in this codebase. No public exploit or CISA KEV listing yet, but the trivial exploitation barrier and admin impact make this high-priority. Upgrade to lollms 2.2.0 immediately; if upgrade is not possible, disable or restrict the social/post feature at the application or network level until patched.

Is CVE-2026-1115 actively exploited?

No confirmed active exploitation of CVE-2026-1115 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-1115?

1. Patch: Upgrade lollms to version 2.2.0 immediately — the fix implements input sanitization in the create_post function. 2. Workaround (if patching is blocked): Disable the social/post feature at the application level or restrict access to the Home Feed endpoint via network policy. 3. Detection: Review server-side logs for unusual POST requests to the social create_post endpoint containing HTML/script tags; audit existing posts in the database for stored payloads (search DBPost content for '<script', 'javascript:', 'onerror=', 'onload='). 4. Post-incident: If compromise is suspected, invalidate all active sessions, rotate any API keys or credentials accessible from the admin panel, and review access logs for unauthorized configuration changes.

What systems are affected by CVE-2026-1115?

This vulnerability affects the following AI/ML architecture patterns: ML UI platforms, self-hosted AI assistants, shared LLM workspaces.

What is the CVSS score for CVE-2026-1115?

CVE-2026-1115 has a CVSS v3.1 base score of 9.6 (CRITICAL). The EPSS exploitation probability is 0.40%.

What is the AI security impact?

Affected AI Architectures

ML UI platformsself-hosted AI assistantsshared LLM workspaces

MITRE ATLAS Techniques

AML.T0011 User Execution
AML.T0012 Valid Accounts
AML.T0048.003 User Harm
AML.T0049 Exploit Public-Facing Application
AML.T0061 LLM Prompt Self-Replication

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE-2.2
OWASP LLM Top 10: LLM02

What are the technical details?

Original Advisory

A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.

Exploitation Scenario

An attacker identifies a lollms instance (internal or public) and registers or uses a low-privilege account. They submit a crafted social post containing a JavaScript payload — e.g., a script that exfiltrates document.cookie to an attacker-controlled server — via the create_post endpoint. Because lollms assigns user content directly to the DBPost model without sanitization, the payload is stored in the database. When an admin next loads the Home Feed, the browser executes the stored script, silently sending the admin's session cookie to the attacker. The attacker replays the session token to gain admin access to the lollms interface, extracts stored API keys and LLM configurations, and optionally modifies the original post or creates new posts to spread the payload wormably to remaining users — all without triggering obvious user-facing alerts.

Weaknesses (CWE)

CWE-79 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'): The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

  • [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. Examples of libraries and frameworks that make it easier to generate properly encoded output include Microsoft's Anti-XSS library, the OWASP ESAPI Encoding module, and Apache Wicket.
  • [Implementation, Architecture and Design] Understand the context in which your data will be used and the encoding that will be expected. This is especially important when transmitting data between different components, or when generating outputs that can contain multiple encodings at the same time, such as web pages or multi-part mail messages. Study all expected communication protocols and data representations to determine the required encoding strategies. For any data that will be output to another web page, especially any data that was received from external inputs, use the appropriate encoding on all non-alphanumeric characters. Parts of the same output document may require different encodings, which will vary depending on whether the output is in the: etc. Note that HTML Entity Encoding is only appropriate for the HTML body. Consult the XSS Prevention Cheat Sheet [REF-724] for more details on the types of encoding and escaping that are needed. HTML body Element attributes (such as src="XYZ") URIs JavaScript sections Casca

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Timeline

Published
April 10, 2026
Last Modified
April 10, 2026
First Seen
April 11, 2026

Related Vulnerabilities