← voltar
CVE-2026-23733

Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)

CVSS 6.4 MEDIUMEPSS 0.1%CWE-94
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 6.4EPSS 0.1%KEV nãoPoC Patch
Ciclo de vida
18 jan 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.
CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L
Produtos afetados
lobehub · lobe-chat

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443