CVE-2026-23733: Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)

January 20, 2026 (updated February 5, 2026)

A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).

References

github.com/advisories/GHSA-4gpc-rhpj-9443
github.com/lobehub/lobe-chat
github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443
nvd.nist.gov/vuln/detail/CVE-2026-23733

Code Behaviors & Features

Detect and mitigate CVE-2026-23733 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →