{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-25T11:40:21.353","vulnerabilities":[{"cve":{"id":"CVE-2026-23733","sourceIdentifier":"security-advisories@github.com","published":"2026-01-18T23:15:48.710","lastModified":"2026-06-17T10:22:00.920","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed `electronAPI` IPC bridge, allowing attackers to run arbitrary system commands on the victim's machine. Version 2.0.0-next.180 patches the issue."},{"lang":"es","value":"LobeChat es una plataforma de aplicación de chat de código abierto. Antes de la versión 2.0.0-next.180, una vulnerabilidad de cross-site scripting (XSS) almacenado en el renderizador de artefactos Mermaid permite a los atacantes ejecutar JavaScript arbitrario dentro del contexto de la aplicación. Este XSS puede escalarse a ejecución remota de código (RCE) aprovechando el puente IPC 'electronAPI' expuesto, permitiendo a los atacantes ejecutar comandos de sistema arbitrarios en la máquina de la víctima. La versión 2.0.0-next.180 corrige el problema."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"lobehub","product":"lobe-chat","versions":[{"version":"< 2.0.0-next.180","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L","baseScore":6.4,"baseSeverity":"MEDIUM","attackVector":"LOCAL","attackComplexity":"HIGH","privilegesRequired":"HIGH","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":0.6,"impactScore":5.3}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-01-20T19:37:28.484840Z","id":"CVE-2026-23733","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-94"}]}],"references":[{"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443","source":"security-advisories@github.com"}]}}]}