CVE-2026-42045: LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution

May 5, 2026

The vulnerability was automatically discovered by an ai agent and then manually verified.

LobeChat’s message rendering mechanism has a stored cross-site scripting (XSS) vulnerability. Combined with the Electron main process’s exposed insecure IPC interface, attackers can construct malicious payloads to achieve an attack chain from XSS to remote code execution (RCE).

The LobeChat team verified this vulnerability in lobehub v2.1.23, and it also exists in the latest version.

References

github.com/advisories/GHSA-xq4x-622m-q8fq
github.com/lobehub/lobehub
github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq
nvd.nist.gov/vuln/detail/CVE-2026-42045

Code Behaviors & Features

Detect and mitigate CVE-2026-42045 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →