CVE-2026-42045— LobeHub 跨站脚本漏洞

LobeHub: Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges. This vulnerability is fixed in 2.1.48.

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

LobeHub 跨站脚本漏洞

LobeHub是LobeHub开源的一个全平台AI对话框架。 LobeHub 2.1.48之前版本存在跨站脚本漏洞，该漏洞源于处理自定义标签时未正确过滤，可能导致跨站脚本攻击和通过IPC接口执行任意系统命令。

N/A

N/A