LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution

Description

The vulnerability was automatically discovered by an ai agent and then manually verified.

LobeChat’s message rendering mechanism has a stored cross-site scripting (XSS) vulnerability.

Recommendation

No fix is available yet. Followings are affected versions:

• <= 2.1.26

References

• GHSA-xq4x-622m-q8fq
• CVE-2026-42045
• CWE-78
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE) - CVE-2026-23733
• beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) - CVE-2026-26226
• CyberChef has a Cross-site Scripting issue - CVE-2026-42615
• Slim Select has potential Cross-site Scripting issue - CVE-2024-9440

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@lobehub/lobehub