Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

Severity:: High

Description

A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.143.2

References

GHSA-4gpc-rhpj-9443
CVE-2026-23733
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) - CVE-2026-26226
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload - CVE-2022-25854

Tags:: npm; @lobehub/chat

Anything's wrong? Let us know Last updated on February 05, 2026