CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-1114

criticalCVSS 9.8covered by 1 sourcefirst seen 2026-04-07
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens (JWT). This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the secret key is obtained, the attacker can forge administrative tokens by modifying the JWT payload and resigning it with the cracked secret. This enables unauthorized users to escalate privileges, impersonate the administrator, and gain access to restricted endpoints. The issue is resolved in version 2.2.0.

⚡ Watch CVE-2026-1114

Get an email if CVE-2026-1114 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-1114

CVE.org record

Embed the live status

CVE-2026-1114 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-1114 status](https://www.csirts.com/badge/CVE-2026-1114)](https://www.csirts.com/cve/CVE-2026-1114)