lollms patches stored XSS enabling admin account takeover

TL;DR — A critical stored XSS in parisneo/lollms social posting can execute attacker JavaScript in other users’ Home Feed views (including admins), enabling session theft and account takeover.

What happened

parisneo/lollms includes a “social” feature where users create posts that are rendered in a Home Feed. CVE-2026-1115 describes a stored cross-site scripting (XSS) issue in the create_post function (backend/routers/social/__init__.py) where user-provided content is assigned to the DBPost model without sanitization, allowing injected JavaScript to be stored and later executed in viewers’ browsers.

Notably, the record’s CISA-ADP enrichment includes an SSVC entry with Exploitation: poc, which is a useful signal for prioritization when this app is internet-exposed or used by privileged operators.

Who is impacted

• Deployments running parisneo/lollms versions earlier than 2.2.0.
• Environments where untrusted users can create social posts that are subsequently viewed by other users (especially administrators) in the Home Feed.
• Any deployment that treats the browser session as an auth boundary (tokens/cookies present in the UI session), because XSS can translate directly into session theft and account takeover.

What to do now

• Follow vendor remediation guidance and apply the latest patched release available at the time of writing.

  "The issue is resolved in version 2.2.0."

• Inventory where parisneo/lollms is deployed and identify whether the social/Home Feed feature is enabled and reachable by untrusted users.
• Treat this as a potential credential/session compromise: if you suspect exposure, review audit logs for post creation and admin browsing activity, and rotate credentials available to the impacted UI session.