LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution — CVE-2026-42045
GitHub · GitHub · CVE-2026-42045
ID
CVE-2026-42045
CVE-2026-42045
Date
Updated
Activity
Source
GitHub
GitHub
Vendor
GitHub
GitHub
Threat
medium
medium
CVSS
6.2
6.2
EPSS
0.00039
0.00039
Summary
### Summary The vulnerability was automatically discovered by an ai agent and then manually verified. LobeChat's message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE). The LobeChat team verified this…
Product
npm: @lobehub/lobehub
What to do
General, cautious steps (verify details in the official source):
- Review exposure and plan remediation based on risk and environment.
- Identify affected product versions in your inventory and verify whether you are impacted.
- Apply vendor patches/updates or recommended mitigations as soon as available.
- Read the official advisory for exact affected versions and remediation steps.