28 matches found
LobeHub security vulnerability
LobeHub is an open-source AI dialogue framework developed by LobeHub. Versions of LobeHub prior to 1.143.3 contained security vulnerabilities. These vulnerabilities stemmed from the file upload feature not verifying the integrity of requests and allowing manipulation of the file size parameter...
Access Control Bypass
Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...
Arbitrary Code Injection
Overview @lobehub/lobehub is a LobeHub - an open-source,comprehensive AI Agent framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...
Cross-site Scripting (XSS)
@lobehub/cha is vulnerable to a Cross-Site Scripting XSS. The vulnerability is due to unsafe SVG rendering due to SVGRenderer using dangerouslySetInnerHTML for image/svg+xml lobeArtifact content. An attacker can inject malicious SVGs via chat messages...
CVE-2025-62505
creationtimestamp| type| source ---|---|--- 2025-10-17 09:26:18+00:00| published-proof-of-concept| https://github.com/lobehub/lobehub/security/advisories/GHSA-fgx4-p8xf-qhp9...
CVE-2025-59417
creationtimestamp| type| source ---|---|--- 2025-09-18 14:23:53+00:00| published-proof-of-concept| https://github.com/lobehub/lobehub/security/advisories/GHSA-m79r-r765-5f9j...
CVE-2024-32964
creationtimestamp| type| source ---|---|--- 2024-05-10 06:13:02+00:00| published-proof-of-concept| https://github.com/lobehub/lobehub/security/advisories/GHSA-mxhq-xw3g-rphc...
GHSA-PF55-FJ96-XF37 @lobehub/chat vulnerable to unauthorized access to plugins
Description: When the application is password-protected deployed with the ACCESSCODE option, it is possible to access plugins without proper authorization without password. Proof-of-Concept: Let’s suppose that application has been deployed with following command: sudo docker run -d -p 3210:3210 -...