Medium severity6.4OSV Advisory· Published Jan 18, 2026· Updated Apr 15, 2026
CVE-2026-23733
CVE-2026-23733
Description
LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed electronAPI IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@lobehub/chatnpm | <= 1.143.2 | — |
Affected products
2Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.