cbcvebase.
CVE-2026-23733
published 2026-01-18

CVE-2026-23733: LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid…

PriorityP427medium6.4CVSS 3.1
AVLACHPRHUIRSCCHILAL
EPSS
0.12%
2.4th percentile
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
lobehubchat0 – 1.143.2
lobehublobe-chat< 2.0.0-next.1802.0.0-next.180
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.