{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1163", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "state": "PUBLISHED", "assignerShortName": "@huntr_ai", "dateReserved": "2026-01-18T21:30:57.148Z", "datePublished": "2026-04-08T02:20:50.573Z", "dateUpdated": "2026-04-08T15:58:36.451Z"}, "containers": {"cna": {"title": "Insufficient Session Expiration in parisneo/lollms", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-08T02:20:50.573Z"}, "descriptions": [{"lang": "en", "value": "An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password."}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"version": "unspecified", "status": "affected", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b"}], "metrics": [{"cvssV3_0": {"version": "3.0", "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.1, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-613 Insufficient Session Expiration", "cweId": "CWE-613"}]}], "source": {"advisory": "abe2d1c4-c21c-4608-8a8e-274565246a8b", "discovery": "EXTERNAL"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T15:58:28.539428Z", "id": "CVE-2026-1163", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:58:36.451Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1163", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T15:58:28.539428Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T15:58:33.466Z"}}], "cna": {"title": "Insufficient Session Expiration in parisneo/lollms", "source": {"advisory": "abe2d1c4-c21c-4608-8a8e-274565246a8b", "discovery": "EXTERNAL"}, "metrics": [{"cvssV3_0": {"scope": "UNCHANGED", "version": "3.0", "baseScore": 4.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "HIGH", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "parisneo", "product": "parisneo/lollms", "versions": [{"status": "affected", "version": "unspecified", "versionType": "custom", "lessThanOrEqual": "latest"}]}], "references": [{"url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b"}], "descriptions": [{"lang": "en", "value": "An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-613", "description": "CWE-613 Insufficient Session Expiration"}]}], "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntr_ai", "dateUpdated": "2026-04-08T02:20:50.573Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1163", "state": "PUBLISHED", "dateUpdated": "2026-04-08T15:58:36.451Z", "dateReserved": "2026-01-18T21:30:57.148Z", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "datePublished": "2026-04-08T02:20:50.573Z", "assignerShortName": "@huntr_ai"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject requests after a period of inactivity and the excessively long default session duration of 31 days. The vulnerability enables an attacker to maintain persistent access to a compromised account, even after the victim resets their password."}], "id": "CVE-2026-1163", "lastModified": "2026-04-30T16:16:23.063", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 4.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 0.7, "impactScore": 3.4, "source": "security@huntr.dev", "type": "Secondary"}]}, "published": "2026-04-08T03:16:07.500", "references": [{"source": "security@huntr.dev", "url": "https://huntr.com/bounties/abe2d1c4-c21c-4608-8a8e-274565246a8b"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-613"}], "source": "security@huntr.dev", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "unspecified"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "parisneo/lollms", "source": "cna", "vendor": "parisneo"}, "product": "lollms", "vendor": "parisneo"}], "analysis": {"en": {"generated_at": "2026-04-08T04:20:47.597069+00:00", "value": {"mitigation_remediation": ["Check the vendor\u2019s website or security page for an updated release that adds session invalidation on password change and limits session duration.", "If no patch is available, immediately reduce the session timeout to a short period (e.g., 2\u20134 hours) and enforce idle\u2011timeout policies.", "Implement a server\u2011side check that invalidates all active sessions whenever a password reset occurs.", "Monitor session activity logs for anomalous long\u2011lived sessions and alert administrators.", "If possible, enforce multi\u2011factor authentication to limit the impact of a stolen session token."], "summary": {"action": "Patch", "impact": "Persistent Unauthorized Access"}, "threat_synthesis": {"affected_systems": "The Parisneo lollms application is affected, specifically the latest publicly released version(s). No detailed version range is disclosed, so deployments using the default 31-day session configuration should be reviewed for exposure.", "description_and_impact": "An insufficient session expiration vulnerability causes the application to keep an active session token valid even after a user resets their password. The lack of a mechanism to reject requests after inactivity and the default 31-day session lifetime allow an attacker who already holds a session cookie to maintain access, leading to persistent unauthorized control of the compromised account.", "risk_and_exploitability": "The CVSS base score of 4.1 indicates moderate severity, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is possession of an active session cookie prior to the password reset; an attacker can trigger a password change and then continue using the old token because the session is not invalidated. EPSS data is unavailable, but the moderate score suggests that exploitation could occur if the conditions are met."}}}}, "created": "2026-04-08T19:33:31.270174+00:00", "updated": "2026-04-08T19:44:09.593068+00:00", "vendors": ["parisneo", "parisneo$PRODUCT$lollms", "parisneo$PRODUCT$parisneo/lollms"]}