Lucene search
K

87 matches found

Nuclei
Nuclei
added yesterday47 views

Lobe Chat <= v0.150.5 - Server-Side Request Forgery

Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6, lobe-chat had an unauthorized Server-Side Request Forgery vulnerability in the /api/proxy endpoint. An attacker can construct malicious requests to cause...

9CVSS7AI score0.52683EPSS
Exploits2References4
NVD
NVD
added 2026/07/02 8:17 p.m.6 views

CVE-2026-59098

LobeChat through 2.2.9 contains a broken access control vulnerability in the retrieval-augmented-generation semantic search functionality that allows authenticated attackers to access other users' data by exploiting missing user-identifier predicates in the chunk model semanticSearch method...

7.1CVSS0.00238EPSS
Exploits0References4
NVD
NVD
added 2026/07/02 8:17 p.m.6 views

CVE-2026-58580

LobeChat through 2.2.9 server-database deployments are vulnerable to broken object-level authorization in MessageModel. The updateMessagePlugin, updatePluginState, updatePluginError, updateTTS and updateTranslate methods filter target rows by message id alone, omitting the userId scope that sibli...

6CVSS0.00154EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 8:17 p.m.7 views

CVE-2026-59095

LobeChat before 2.2.10-canary.18 contains a server-side request forgery vulnerability that allows authenticated attackers to direct internal HTTP requests to arbitrary URLs by supplying user-controlled input to the skill import service importFromUrl and topic cover update fetchImageFromUrl...

8.3CVSS0.00235EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:26 p.m.12 views

CVE-2026-39411

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

7.1CVSS5.6AI score0.00126EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 4:47 p.m.34 views

CVE-2026-42045 LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the...

6.2CVSS0.00266EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/08 7:37 p.m.22 views

CVE-2026-39411 LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

5CVSS0.00126EPSS
Exploits0References4
Vulnrichment
Vulnrichment
added 2026/04/08 7:37 p.m.5 views

CVE-2026-39411 LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

5CVSS6AI score0.00126EPSS
Exploits0References4
CVE
CVE
added 2026/04/08 7:37 p.m.15 views

CVE-2026-39411

CVE-2026-39411 (LobeHub) describes an unauthenticated authentication bypass on the webapi routes via a forgeable, client-controlled X-lobe-chat-auth header. Before version 2.1.48, the webapi authentication layer trusts an XOR-obfuscated header (hardcoded key: “LobeHub · LobeHub”) and treats decod...

7.1CVSS6AI score0.00126EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/08 7:37 p.m.2 views

CVE-2026-39411 LobeHub has an unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, the webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR ke...

5CVSS6.1AI score0.00126EPSS
Exploits0References6
OSV
OSV
added 2026/04/08 3:4 p.m.1 views

GHSA-5MWJ-V5JW-5C97 LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

Summary The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected...

5CVSS6AI score0.00126EPSS
Exploits0References6
Snyk
Snyk
added 2026/04/08 3:4 p.m.8 views

User Impersonation

Overview @lobehub/cli is a LobeHub command-line interface. Affected versions of this package are vulnerable to User Impersonation via the X-lobe-chat-auth header on webapi routes. An attacker can gain unauthorized access to protected API endpoints and perform actions as an authenticated user by...

7.1CVSS5.8AI score0.00126EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/04/08 3:4 p.m.8 views

LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header

Summary The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected...

7.1CVSS6.2AI score0.00126EPSS
Exploits0References6Affected Software1
EUVD
EUVD
added 2026/01/20 5:54 p.m.10 views

EUVD-2026-3400

Lobe Chat affected by Cross-Site ScriptingXSS that can escalate to Remote Code ExecutionRCE...

6.4CVSS5.5AI score0.00123EPSS
Exploits0References3
Snyk
Snyk
added 2026/01/19 5:49 p.m.4 views

Access Control Bypass

Overview @lobehub/chat is a Lobe Chat - an open-source, high-performance chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Supports one-click free deployment of your private ChatGPT/LLM web application. Affected versions of this package are...

6.3CVSS5.6AI score0.00194EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/01/19 4:53 p.m.3 views

CVE-2026-23522 Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. userId filter in the database query is commented out, so it's...

3.7CVSS5.6AI score0.00194EPSS
Exploits0References2
OSV
OSV
added 2026/01/19 4:53 p.m.8 views

CVE-2026-23522 Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. userId filter in the database query is commented out, so it's...

3.7CVSS5.6AI score0.00194EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/01/19 12:0 a.m.7 views

Lobe Chat security vulnerability

Lobe Chat is an open-source, high-performance chatbot framework developed by LobeHub. Versions of Lobe Chat prior to 2.0.0-next.193 contained security vulnerabilities, which were caused by a lack of ownership verification. This vulnerability could lead to arbitrary file deletion...

3.7CVSS5.9AI score0.00194EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/01/18 10:56 p.m.23 views

CVE-2026-23733 Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting XSS vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Executi...

6.4CVSS0.00123EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/01/18 10:56 p.m.2 views

CVE-2026-23733 Lobe Chat has Cross-Site Scripting (XSS) issue that may escalate to Remote Code Execution (RCE)

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting XSS vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Executi...

6.4CVSS6AI score0.00123EPSS
Exploits0References1
Rows per page
Query Builder