GHSA-XQ4X-622M-Q8FQ LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution

Summary The vulnerability was automatically discovered by an ai agent and then manually verified. LobeChat's message rendering mechanism has a stored cross-site scripting XSS vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious...

PT-2026-37247

Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 2.1.48 Description A stored cross-site scripting XSS issue exists in the message rendering mechanism. When processing custom tags in the src/features/Portal/Artifacts/Body/Renderer/index.tsx render process, the softwa...

LobeChat < 0.150.6 Server-Side Request Forgery

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.150.6. It is, therefore, affected by a Server-Side Request Forgery through agent proxy configuration. Note that the scanner has not tested for these issues but has...

LobeChat < 0.122.4 Improper Access Control

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 0.122.4. It is, therefore, affected by an Improper Access Control allowing access plugins without proper authorization. Note that the scanner has not tested for these...

LobeChat < 1.19.13 Server-Side Request Forgery

According to the self-reported version in its response header, the version of LobeChat hosted on the remote web server is prior to 1.19.13. It is, therefore, affected by multiples Server-Side Request Forgery : - A Server-Side Request Forgery through proxy address - A Server-Side Request Forgery...