A critical stored XSS vulnerability in the lollms social feature allows attackers to execute arbitrary code in the browsers of administrators and users, leading to full session hijacking.

The create_post function fails to sanitize user-provided content before storing it in the DBPost model. This allows an attacker to inject malicious JavaScript that executes whenever a user, including an administrator, views the Home Feed.

The CVSS score of 9.6 reflects the severe risk of "wormable" attacks and administrative account takeover. Compromise of an administrator account grants the attacker full control over the lollms platform, enabling further malicious activity and potential lateral movement.

Immediate Action: Upgrade lollms to version 2.2.0 or higher immediately to implement mandatory input sanitization.

Proactive Monitoring: Review platform activity logs for suspicious posts containing script tags or abnormal redirect patterns.

Compensating Controls: Use a Content Security Policy (CSP) to restrict the execution of unauthorized scripts within the browser, providing a layer of defense against XSS.

Public Exploit Available: No

The risk of account takeover via this XSS vulnerability is severe. All instances of lollms must be updated to version 2.2.0 immediately to prevent exploitation and protect administrative sessions.