PT-2026-3404 · Mermaid+2 · Mermaid+2
C2An1
·
Published
2026-01-18
·
Updated
2026-01-20
·
CVE-2026-23733
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LobeChat versions prior to 2.0.0-next.180
Description
LobeChat is an open source chat application platform. A stored Cross-Site Scripting (XSS) issue exists in the Mermaid artifact renderer, enabling attackers to execute arbitrary JavaScript within the application. This XSS can be escalated to Remote Code Execution (RCE) by exploiting the exposed
electronAPI IPC bridge, which allows attackers to run arbitrary system commands on a victim’s machine. The vulnerable component is the Mermaid artifact renderer.Recommendations
Update to version 2.0.0-next.180 or later.
Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Lobe Chat
Mermaid
Electronapi