CVE-2026-42045

Name of the Vulnerable Software and Affected Versions LobeHub versions prior to 2.1.48

Description A stored cross-site scripting (XSS) issue exists in the message rendering mechanism. When processing custom tags in the src/features/Portal/Artifacts/Body/Renderer/index.tsx render process, the software defaults to using the HTMLRenderer function for HTML rendering if no type match is found. An attacker can induce a Large Language Model (LLM) to output content containing malicious tags to trigger this XSS on the client side.

Furthermore, the Electron main process exposes an insecure Inter-Process Communication (IPC) interface called runCommand to invoke system commands. This interface does not filter the command parameter, allowing arbitrary command execution. By obtaining a handle to window.parent.electronAPI via XSS and calling the runCommand method, an attacker can execute arbitrary system commands with the privileges of the current user, leading to remote code execution (RCE).

Recommendations Update to version 2.1.48.