平台
nodejs
组件
@lobehub/chat
修复版本
2.0.1
1.143.3
CVE-2026-23733 describes a critical stored Cross-Site Scripting (XSS) vulnerability discovered in the @lobehub/chat artifact renderer. This vulnerability can be exploited to execute arbitrary JavaScript within the application context, potentially escalating to Remote Code Execution (RCE). The vulnerability affects versions of @lobehub/chat up to and including 1.143.2, and a fix is available in version 2.0.0-next.180.
The core of the vulnerability lies in the Renderer component, which handles Mermaid diagram rendering. User-supplied content, originating from either user messages or AI-generated responses, is directly passed to the <Mermaid> component without proper sanitization. An attacker can craft a malicious Mermaid diagram containing JavaScript payloads. When this diagram is rendered, the injected script executes within the application's security context, allowing the attacker to potentially steal sensitive data, modify application behavior, or even gain complete control of the server. The potential for RCE significantly expands the attack surface and increases the severity of this vulnerability. This is particularly concerning in environments where @lobehub/chat is integrated with sensitive data or critical systems.
CVE-2026-23733 was publicly disclosed on 2026-01-20. While no active exploitation campaigns have been publicly reported, the vulnerability's CRITICAL severity and potential for RCE make it a high-priority target. The availability of a public proof-of-concept is likely, increasing the risk of exploitation. The vulnerability is not currently listed on CISA KEV, but its severity warrants close monitoring.
Applications utilizing @lobehub/chat versions prior to 2.0.0-next.180 are at significant risk. This includes chatbot applications, AI-powered assistants, and any system integrating @lobehub/chat for rendering Mermaid diagrams. Shared hosting environments where multiple applications share the same server instance are particularly vulnerable, as a compromise in one application could potentially impact others.
• nodejs / supply-chain:
Get-Process -Name node | Where-Object {$_.Path -match '@lobehub/chat'}• nodejs / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID=4688 AND SubjectUserName='@lobehub/chat'"• generic web: Inspect HTTP requests and responses for unusual JavaScript code within Mermaid diagrams. Look for obfuscated or encoded scripts.
disclosure
漏洞利用状态
EPSS
0.09% (26% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-23733 is to immediately upgrade to version 2.0.0-next.180 or later of @lobehub/chat. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and sanitization of Mermaid diagrams are crucial. Implement strict content security policies (CSP) to restrict the execution of inline scripts. Additionally, review and audit all user-generated content to identify and remove potentially malicious Mermaid diagrams. Monitor application logs for suspicious activity, particularly JavaScript execution attempts originating from unexpected sources. After upgrading, confirm the fix by attempting to render a known malicious Mermaid diagram and verifying that the script does not execute.
Actualice Lobe Chat a la versión 2.0.0-next.180 o superior. Esta versión contiene una corrección para la vulnerabilidad XSS que podría permitir la ejecución remota de código. La actualización mitigará el riesgo de que un atacante explote esta vulnerabilidad.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-23733 is a critical stored Cross-Site Scripting (XSS) vulnerability in @lobehub/chat versions up to 1.143.2 that can lead to Remote Code Execution (RCE) through malicious Mermaid diagrams.
If you are using @lobehub/chat versions 1.143.2 or earlier, you are vulnerable to this XSS/RCE vulnerability.
Upgrade to version 2.0.0-next.180 or later of @lobehub/chat. Implement input validation and content security policies as temporary mitigations.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and potential for RCE make it a high-priority target.
Refer to the official @lobehub/chat project repository and release notes for the latest advisory and security updates.