CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

25 matches found

LobeHub LobeChat <= 2.1.56 - Server-Side Request Forgery

LobeHub LobeChat versions up to and including 2.1.56 are vulnerable to an unauthenticated server-side request forgery vulnerability in the /webapi/proxy endpoint. The endpoint accepts a URL in the POST request body and fetches it server-side without authentication. id: CVE-2026-54157 info: name:...

9CVSS5.8AI score0.0178EPSS

Exploits0References2

RedhatCVE•added 2026/06/05 7:30 p.m.•11 views

CVE-2026-42045

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the...

6.2CVSS6.1AI score0.00266EPSS

Exploits0References1

NVD•added 2026/05/12 6:17 p.m.•14 views

CVE-2026-42045

6.2CVSS0.00266EPSS

Exploits0References1

Vulnrichment•added 2026/05/12 4:47 p.m.•6 views

CVE-2026-42045 LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)

6.2CVSS6.2AI score0.00266EPSS

Exploits0References1

ATTACKERKB•added 2026/05/12 4:47 p.m.•6 views

CVE-2026-42045

6.2CVSS6.2AI score0.00266EPSS

Exploits0References2Affected Software1

OSV•added 2026/05/05 6:4 p.m.•5 views

GHSA-XQ4X-622M-Q8FQ LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution

Summary The vulnerability was automatically discovered by an ai agent and then manually verified. LobeChat's message rendering mechanism has a stored cross-site scripting XSS vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious...

6.2CVSS6.5AI score0.00266EPSS

Exploits0References3

Github Security Blog•added 2026/05/05 6:4 p.m.•14 views

LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution

6.2CVSS6.5AI score0.00266EPSS

Exploits0References3Affected Software1

Positive Technologies•added 2026/05/05 12:0 a.m.•11 views

PT-2026-37247

Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 2.1.48 Description A stored cross-site scripting XSS issue exists in the message rendering mechanism. When processing custom tags in the src/features/Portal/Artifacts/Body/Renderer/index.tsx render process, the softwa...

6.2CVSS6.5AI score0.00266EPSS

Exploits0References4

EUVD•added 2026/01/20 5:14 p.m.•4 views

EUVD-2026-3318

Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion...

3.7CVSS5.3AI score0.00194EPSS

Exploits0References3

RedhatCVE•added 2026/01/19 11:25 p.m.•4 views

CVE-2026-23733

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting XSS vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Executi...

6.4CVSS6AI score0.00123EPSS

Exploits0References1

NVD•added 2026/01/19 5:15 p.m.•4 views

CVE-2026-23522

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, knowledgeBase.removeFilesFromKnowledgeBase tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. userId filter in the database query is commented out, so it's...

3.7CVSS0.00194EPSS

Exploits0References2

ATTACKERKB•added 2026/01/19 4:53 p.m.•4 views

CVE-2026-23522

3.7CVSS5.5AI score0.00194EPSS

Exploits0References3Affected Software1

Cvelist•added 2026/01/19 4:53 p.m.•16 views

CVE-2026-23522 Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion

3.7CVSS0.00194EPSS

Exploits0References2

NVD•added 2026/01/18 11:15 p.m.•10 views

CVE-2026-23733

6.4CVSS0.00123EPSS

Exploits0References1

Cvelist•added 2025/10/17 6:18 p.m.•8 views

CVE-2025-62505 SSRF in lobehub/lobe-chat with native web fetch module

LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request forgery SSRF in the tools.search.crawlPages tRPC endpoint. A client can supply an arbitrary urls array together with impls containing the value naive. The service...

3CVSS0.00294EPSS

Exploits0References2

Vulnrichment•added 2025/10/17 6:18 p.m.•1 views

CVE-2025-62505 SSRF in lobehub/lobe-chat with native web fetch module

3CVSS6.7AI score0.00294EPSS

Exploits0References2

CVE•added 2025/10/17 6:18 p.m.•12 views

CVE-2025-62505

LobeChat exposes an SSRF in version 1.136.1 via the web-crawler’s tools.search.crawlPages endpoint. The naive impl (naive) allows a user-provided urls array to be fetched server-side without validating internal network addresses (localhost, 127.0.0.1, private ranges, or metadata endpoints). With ...

3CVSS6.7AI score0.00294EPSS

Exploits0References2

OSV•added 2025/10/17 6:18 p.m.•10 views

CVE-2025-62505 SSRF in lobehub/lobe-chat with native web fetch module

3CVSS7AI score0.00294EPSS

Exploits0References4

EUVD•added 2025/10/17 5:46 p.m.•2 views

EUVD-2025-34905

Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module...

3CVSS6.4AI score0.00294EPSS

Exploits0References5

Tenable Nessus•added 2025/02/03 12:0 a.m.•4 views

LobeChat < 1.19.13 Server-Side Request Forgery

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 1.19.13. It is, therefore, affected by multiples Server-Side Request Forgery : - A Server-Side Request Forgery through proxy address - A Server-Side Request Forgery...

9CVSS7.4AI score0.23716EPSS

Exploits5References4

Rows per page

Query Builder

Family

Bulletin Type

Min CVSS Score

Date

Order by