<0.1% probability · 15.5th percentile — 2026-05-12
Affected versions
parisneo/lollms versions prior to 2.2.0
Summary
This stored cross-site scripting (XSS) vulnerability impacts the social feature of the parisneo/lollms application. User-provided content is stored without sanitization in the application database, allowing attackers to inject malicious JavaScript that executes when other users view the home feed. This can lead to session hijacking, full administrator account takeover, and wormable attacks across the application.
Remediation
Upgrade to parisneo/lollms version 2.2.0 or later to resolve this vulnerability. If an immediate upgrade is not possible, add strict input sanitization for all user-generated content stored via the social feature as a temporary workaround.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.