Insufficient Session Expiration in parisneo/lollms

Description

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password.

Affected Products

Vendor	Product	Versions
parisneo	parisneo/lollms	pip/lollms: <= 11.0.0

References

https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-1163 | parisneo lollms Password Reset session expiration

→ No new info (linked only)

CVSS 3.14.1 MEDIUM

VectorCVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L

CISA KEV❌ No

Actively exploited❌ No

CWECWE-613

PublishedApr 8, 2026

Last enriched4d agov2

Trending Score18

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

Version History

Last enriched 4d ago

v2Tier C4d ago

Updated description with new details about the Password Reset Handler and confirmed no exploit is available.

description

via VulDB

v14d ago

Initial creation

Insufficient Session Expiration in parisneo/lollms

Description

Affected Products

References

Related News (1 articles)

Community Vote

Related CVEs (3)

Pin to Dashboard

Verification

Vulnerability Timeline

Version History