CVE-2026-23733 MEDIUM

CVE-2026-23733: Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)

Vendor Lobehub
Product lobe-chat
Weakness CWE-94 · Code injection
Published January 18, 2026
Last update January 20, 2026

CVSS base score

6.4/10
Attack vector Local
Attack complexity High
Privileges required High
User interaction Required
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L

What the vulnerability does

01Description

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue.

Key dates

02Disclosure timeline

January 18, 2026 CVE published
January 20, 2026 Record updated