Vulnerability  ·  2026-07-19

parisneo/lollms Stored XSS via Shared Prompt Content in Direct Messages

VulnerabilityHigh impactGlobalCVE-2026-12228
A huntr-reported vulnerability (CVSS 8.7) found that lollms's prompt-sharing feature stores unsanitized HTML/JavaScript from a shared prompt into a direct-message record, which then executes when the recipient views the DM.
lollms is an LLM chat/prompt-management platform with a social/sharing layer; a stored XSS reachable via prompt sharing can be weaponized to hijack administrator sessions or propagate through the user base whenever prompts are shared, turning a core collaboration feature into an account-takeover vector.
The POST /api/prompts/share endpoint stores attacker-controlled prompt_content directly into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message containing the shared prompt, the malicious script executes in their browser session, including administrator sessions.
parisneo/lollms (latest version as of disclosure)
Patch pending per huntr bounty disclosure; sanitize/encode prompt_content before storage and on render until an official fixed version is released.
huntr bounty disclosureNVD CVE-2026-12228
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →