Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

Severity:: Medium

Description

A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed electronAPI IPC bridge, allowing attackers to run arbitrary system commands on the victim’s machine.

Recommendation

No fix is available yet. Followings are affected versions:

<= 1.143.2

References

GHSA-4gpc-rhpj-9443
CVE-2026-23733
CWE-94
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages - CVE-2025-59417
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion - CVE-2026-23522
seroval Affected by Remote Code Execution via JSON Deserialization - CVE-2026-23737
tagify can pass a malicious placeholder to initiate the cross-site scripting (XSS) payload - CVE-2022-25854

Tags:: npm; @lobehub/chat

Anything's wrong? Let us know Last updated on January 20, 2026