PyPI: lollms

CVE-2026-1115

Safety vulnerability ID: SFTY-20260410-24647

Safety legacy ID: pyup.io-92528

Affected versions of the lollms package are vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient sanitisation of user-provided content in the social feature. The create_post function in backend/routers/social/init.py directly assigns user-supplied content to the DBPost model without sanitisation, allowing malicious JavaScript to be persisted and rendered in the Home Feed. An attacker can inject crafted JavaScript payloads via social posts, which execute in the browsers of other users including administrators, enabling session hijacking, account takeover, and wormable attacks.

PythonPyPINVDNVDGitHubGHSA
Created at: Apr 16, 2026Updated at: Apr 16, 2026

Overview

parisneo/lollms vulnerable to stored XSS in the social feature

Advisory

Affected versions of the lollms package are vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient sanitisation of user-provided content in the social feature. The create_post function in backend/routers/social/init.py directly assigns user-supplied content to the DBPost model without sanitisation, allowing malicious JavaScript to be persisted and rendered in the Home Feed. An attacker can inject crafted JavaScript payloads via social posts, which execute in the browsers of other users including administrators, enabling session hijacking, account takeover, and wormable attacks.

Affected Package

Affecting lollms package, versions
<2.2.0

Also affects

---

How to Fix

Upgrade
lollms
to
2.2.0
or higher.

Mitigation and Workarounds

---

Vulnerable Functions

Functions linked to known vulnerabilities.

Vulnerable function data is available for Enterprise customers

Book a call with us to see Safety in action.

References

Safety

Verified by Safety

Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.

Learn more