PT-2026-3404 · Mermaid+2 · Mermaid+2
C2An1
·
Publicado
2026-01-18
·
Atualizado
2026-01-20
·
CVE-2026-23733
CVSS v3.1
9.6
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LobeChat versions prior to 2.0.0-next.180
Description
LobeChat is an open source chat application platform. A stored Cross-Site Scripting (XSS) issue exists in the Mermaid artifact renderer, enabling attackers to execute arbitrary JavaScript within the application. This XSS can be escalated to Remote Code Execution (RCE) by exploiting the exposed
electronAPI IPC bridge, which allows attackers to run arbitrary system commands on a victim’s machine. The vulnerable component is the Mermaid artifact renderer.Recommendations
Update to version 2.0.0-next.180 or later.
Exploit
Correção
RCE
Code Injection
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Lobe Chat
Mermaid
Electronapi