{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1116", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-17T17:52:55.574Z", "datePublished": "2026-04-12T02:22:52.389Z", "dateUpdated": "2026-04-13T17:49:36.132Z"}, "containers": {"cna": {"title": "Cross-site Scripting (XSS) in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-12T02:22:52.389Z"}, "descriptions": [{"lang": "en", "value": "A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "lessThan": "2.2.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e"}, {"url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79"}]}], "source": {"advisory": "d3d076a7-2a51-4e07-8d0e-91e28e76788e", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-13T17:49:21.295282Z", "id": "CVE-2026-1116", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:49:36.132Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1116", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:49:21.295282Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T17:49:25.977Z"}}], "cna": {"title": "Cross-site Scripting (XSS) in parisneo/lollms", "source": {"advisory": "d3d076a7-2a51-4e07-8d0e-91e28e76788e", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "CHANGED", "version": "3.0", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"status": "affected", "version": "unspecified", "lessThan": "2.2.0", "versionType": "custom"}]}], "references": [{"url": "https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e"}, {"url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"}], "descriptions": [{"lang": "en", "value": "A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-12T02:22:52.389Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1116", "state": "PUBLISHED", "dateUpdated": "2026-04-13T17:49:36.132Z", "dateReserved": "2026-01-17T17:52:55.574Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-04-12T02:22:52.389Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A Cross-site Scripting (XSS) vulnerability was identified in the `from_dict` method of the `AppLollmsMessage` class in parisneo/lollms prior to version 2.2.0. The vulnerability arises from the lack of sanitization or HTML encoding of the `content` field when deserializing user-provided data. This allows an attacker to inject malicious HTML or JavaScript payloads, which can be executed in the context of another user's browser. Exploitation of this vulnerability can lead to account takeover, session hijacking, or wormable attacks."}], "id": "CVE-2026-1116", "lastModified": "2026-04-13T15:01:43.663", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 4.7, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2026-04-12T03:16:07.600", "references": [{"source": "security@huntr.dev", "url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"}, {"source": "security@huntr.dev", "url": "https://huntr.com/bounties/d3d076a7-2a51-4e07-8d0e-91e28e76788e"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@huntr.dev", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.2.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "parisneo/lollms", "source": "cna", "vendor": "parisneo"}, "product": "parisneo/lollms", "vendor": "parisneo"}], "analysis": {"en": {"generated_at": "2026-04-12T03:21:06.741582+00:00", "value": {"mitigation_remediation": ["Upgrade ParisNeo/lollms to version 2.2.0 or later", "If an upgrade is not immediately possible, modify the from_dict method or surrounding logic to sanitize or HTML\u2011encode the content field before rendering", "Apply a Content Security Policy that restricts script execution from untrusted sources", "Configure web application firewalls to block suspicious payloads that attempt to embed scripts", "Regularly audit logs for anomalous content injections or failed rendering attempts"], "summary": {"action": "Patch Now", "impact": "Cross\u2011site scripting allowing malicious script execution in victims\u2019 browsers, potentially leading to account takeover or session hijacking"}, "threat_synthesis": {"affected_systems": "Any deployment of ParisNeo/lollms older than version 2.2.0 is affected. The vulnerability resides in the AppLollmsMessage class within the lollms repository, and applies to installations that deserialize user\u2011provided message data via the from_dict method.", "description_and_impact": "The CVE describes an XSS vulnerability in the from_dict method of AppLollmsMessage in the ParisNeo/lollms project before version 2.2.0. The flaw arises because the content field is not sanitized or HTML\u2011encoded when deserializing user data, permitting an attacker to inject malicious JavaScript or HTML. When the payload executes in a victim\u2019s browser, the attacker can hijack the session, take over the account, or launch wormable attacks that spread through other users.", "risk_and_exploitability": "The CVSS score of 8.2 indicates a high impact with substantial risk. EPSS data is unavailable, but the vulnerability is remote and can be triggered by supplying crafted content over the network\u2014most likely through HTTP requests or data import interfaces that call from_dict. Attackers need only supply malicious content; no privileged access is required, making exploitation straightforward for an attacker with network visibility. The lack of mitigation in the code means that an exploit will succeed on affected systems unless mitigated through patching or defensive filtering."}}}}, "created": "2026-04-13T12:41:43.123480+00:00", "updated": "2026-04-13T12:56:25.324993+00:00", "vendors": ["parisneo", "parisneo$PRODUCT$parisneo/lollms"]}