Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate...

6.4 / 10

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

Description

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.

Basic Information

ID CVE-2026-23733

Source GitHub_M

Published Jan 18, 2026 at 22:56

Affected Product

Vendor lobehub

Product lobe-chat

Version < 2.0.0-next.180

Affected Versions lobehub lobe-chat < 2.0.0-next.180

CWE Classification

CWE-94

References

github.com /lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443

{
    "lastseen": "",
    "description": "LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.",
    "published": "2026-01-18T22:56:15.888Z",
    "modified": "2026-01-18T22:56:15.888Z",
    "type": "cve",
    "title": "Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)",
    "source": "GitHub_M",
    "references": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443",
    "id": "CVE-2026-23733",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "lobehub lobe-chat < 2.0.0-next.180",
    "sourceHref": "",
    "cvss": {
        "score": 6.4,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "lobe-chat",
    "version": "< 2.0.0-next.180",
    "vendor": "lobehub",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)_CVE-2026-23733