← volver
CVE-2026-23733

Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)

CVSS 6.4 MEDIUMEPSS 0.1%CWE-94
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 6.4EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
18 ene 2026Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L
Productos afectados
lobehub · lobe-chat

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443