6 matches found
CVE-2026-59095 LobeChat < 2.2.10-canary.18 - SSRF via importFromUrl and fetchImageFromUrl
LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service importFromUrl and topic cover update fetchImageFromUrl...
GHSA-XQ4X-622M-Q8FQ LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution
Summary The vulnerability was automatically discovered by an ai agent and then manually verified. LobeChat's message rendering mechanism has a stored cross-site scripting XSS vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious...
PT-2026-37247
Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 2.1.48 Description A stored cross-site scripting XSS issue exists in the message rendering mechanism. When processing custom tags in the src/features/Portal/Artifacts/Body/Renderer/index.tsx render process, the softwa...
LobeChat < 0.122.4 Improper Access Control
According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.122.4. It is, therefore, affected by an Improper Access Control allowing access plugins without proper authorization. Note that the scanner has not tested for these...
LobeChat < 0.150.6 Server-Side Request Forgery
According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.150.6. It is, therefore, affected by a Server-Side Request Forgery through agent proxy configuration. Note that the scanner has not tested for these issues but has...
LobeChat < 1.19.13 Server-Side Request Forgery
According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 1.19.13. It is, therefore, affected by multiples Server-Side Request Forgery : - A Server-Side Request Forgery through proxy address - A Server-Side Request Forgery...