Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

Severity:: Medium

Description

A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed electronAPI IPC bridge, allowing attackers to run arbitrary system commands on the victim’s machine.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.143.2

References

GHSA-4gpc-rhpj-9443
CVE-2026-23733
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

LobeHub Vulnerable to Improper Authorization in Presigned Upload - CVE-2026-23835
LangChain serialization injection vulnerability enables secret extraction (GHSA-r399-636x-v7f6) - CVE-2025-68665
TypeORM vulnerable to SQL injection via crafted request to repository.save or repository.update - CVE-2025-60542
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module - CVE-2025-62505

Tags:: npm; @lobehub/chat

Anything's wrong? Let us know Last updated on January 20, 2026