CVE-2026-42045— LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42045
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)
Source: NVD (National Vulnerability Database)
Vulnerability Description
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges. This vulnerability is fixed in 2.1.48.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
在Web页面生成时对输入的转义处理不恰当(跨站脚本)
Source: NVD (National Vulnerability Database)
Vulnerability Title
LobeHub 跨站脚本漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
LobeHub是LobeHub开源的一个全平台AI对话框架。 LobeHub 2.1.48之前版本存在跨站脚本漏洞,该漏洞源于处理自定义标签时未正确过滤,可能导致跨站脚本攻击和通过IPC接口执行任意系统命令。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42045
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-42045
请登录查看更多情报信息。
- https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fqx_refsource_CONFIRM
- https://nvd.nist.gov/vuln/detail/CVE-2026-42045
IV. Related Vulnerabilities
Same vendor: lobehub
- CVE-2026-39411
LobeHub has an unauthenticated authentication bypass on `web - CVE-2026-23835
LobeHub Vulnerable to Improper Authorization in Presigned Up - CVE-2026-23522
Lobe Chat has IDOR in Knowledge Base File Removal that Allow - CVE-2026-23733
Lobe Chat has Cross-Site Scripting (XSS) issue that may esca - CVE-2025-62505
SSRF in lobehub/lobe-chat with native web fetch module
Same weakness: CWE-79
- CVE-2026-23695
Cockpit CMS 2.14.0 Stored XSS via Set Field Display Template - CVE-2026-6415
Advanced Custom Fields: Font Awesome Field <= 5.0.2 - Authen - CVE-2026-6646
The7 <= 14.3.2 - Authenticated (Contributor+) Stored Cross-S - CVE-2026-24662
Musetheque V4/XSS漏洞 - CVE-2026-44429
MCP Registry: Stored XSS in catalogue UI via attribute-quote
V. Comments for CVE-2026-42045
No comments yet