Home > Vulnerability Database > CVE-2026-23733

Mend.io Vulnerability Database

CVE-2026-23733

Good to know:

Date: January 18, 2026

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed "electronAPI" IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.

Severity Score

6.4

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2026-23733

Url: https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443

Url: https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443

Url: https://github.com/lobehub/lobe-chat

Url: https://www.mend.io/vulnerability-database/CVE-2026-23733

Severity Score

6.4

Weakness Type (CWE)

Improper Control of Generation of Code ('Code Injection')

CWE-94

Top Fix

Upgrade Version

Upgrade to version @lobehub/lobehub - v2.0.0-next.180

Learn More

CVSS v3.1

Base Score:	6.4
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	HIGH
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	LOW
Availability (A):	LOW

Mend.io Vulnerability Database

We found results for “”

CVE-2026-23733

Good to know:

Date: January 18, 2026

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?