CVE-2026-23733: Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

January 20, 2026

A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE) by leveraging the exposed electronAPI IPC bridge, allowing attackers to run arbitrary system commands on the victim’s machine.

References

github.com/advisories/GHSA-4gpc-rhpj-9443
github.com/lobehub/lobe-chat
github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
nvd.nist.gov/vuln/detail/CVE-2026-23733

Code Behaviors & Features

Detect and mitigate CVE-2026-23733 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →