CVE-2026-23733 — MEDIUM (6.4)

Vulnerability Description

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.

CVSS Score

6.4

MEDIUM

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

Attack Vector

LOCAL

Attack Complexity

HIGH

Privileges Required

HIGH

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

LOW

Related Weaknesses (CWE)

CWE-94

References

https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443

FAQ

What is CVE-2026-23733?

CVE-2026-23733 is a vulnerability with a CVSS score of 6.4 (MEDIUM). LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute ar...

How severe is CVE-2026-23733?

CVE-2026-23733 has been rated MEDIUM with a CVSS base score of 6.4/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2026-23733?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.