CVE-2026-23733 — Code Injection in Lobe-chat

CWE-94 — Code Injection4 documents4 sources

Severity

6.4MEDIUMNVD

EPSS

0.1%

top 71.28%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Lobehub Lobe-chat Lobehub Chat

Timeline

PublishedJan 18

Latest updateJan 20

Description

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:LExploitability: 0.6 | Impact: 5.3

Affected Packages2 packages

▶CVEListV5lobehub/lobe-chat< 2.0.0-next.180

▶npmlobehub/chat1.143.2

🔴Vulnerability Details

OSV

Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)↗2026-01-20

▶

GHSA

Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)↗2026-01-20

▶

🕵️Threat Intelligence

Wiz

CVE-2026-23733 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶