Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40lobehub/chat@0.117.5
Typenpm
Namespace@lobehub
Namechat
Version0.117.5
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.143.3
Latest_non_vulnerable_version1.143.3
Affected_by_vulnerabilities
0
url VCID-78pn-bez6-nuat
vulnerability_id VCID-78pn-bez6-nuat
summary 
LobeHub Vulnerable to Improper Authorization in Presigned Upload
The file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23835
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.1316
published_at 2026-06-07T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.132
published_at 2026-06-06T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.13197
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23835
1
reference_url https://github.com/lobehub/lobehub
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobehub
2
reference_url https://github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23835
reference_id CVE-2026-23835
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23835
4
reference_url https://github.com/advisories/GHSA-wrrr-8jcv-wjf5
reference_id GHSA-wrrr-8jcv-wjf5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wrrr-8jcv-wjf5
5
reference_url https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
reference_id GHSA-wrrr-8jcv-wjf5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-30T20:21:13Z/
url https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.143.3
purl pkg:npm/%40lobehub/chat@1.143.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.143.3
aliases CVE-2026-23835, GHSA-wrrr-8jcv-wjf5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-78pn-bez6-nuat
1
url VCID-8qh9-2q7c-tqfd
vulnerability_id VCID-8qh9-2q7c-tqfd
summary 
Lobe Chat API Key Leak
If an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-37895
reference_id
reference_type
scores
0
value 0.00467
scoring_system epss
scoring_elements 0.64808
published_at 2026-06-07T12:55:00Z
1
value 0.00467
scoring_system epss
scoring_elements 0.64819
published_at 2026-06-06T12:55:00Z
2
value 0.00467
scoring_system epss
scoring_elements 0.64809
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-37895
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-37895
reference_id CVE-2024-37895
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-37895
3
reference_url https://github.com/advisories/GHSA-p36r-qxgx-jq2v
reference_id GHSA-p36r-qxgx-jq2v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p36r-qxgx-jq2v
4
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v
reference_id GHSA-p36r-qxgx-jq2v
reference_type
scores
0
value 5.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T14:05:08Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v
fixed_packages
0
url pkg:npm/%40lobehub/chat@0.162.25
purl pkg:npm/%40lobehub/chat@0.162.25
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-az37-1hae-y7h4
2
vulnerability VCID-facw-4ca9-ayfr
3
vulnerability VCID-fkv5-wm1u-pfh5
4
vulnerability VCID-fxza-2edn-ubhh
5
vulnerability VCID-g4u9-b2aj-s3gy
6
vulnerability VCID-p67q-uhv9-e3fe
7
vulnerability VCID-qf24-bv2y-6bcp
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.162.25
aliases CVE-2024-37895, GHSA-p36r-qxgx-jq2v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8qh9-2q7c-tqfd
2
url VCID-az37-1hae-y7h4
vulnerability_id VCID-az37-1hae-y7h4
summary 
Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module
---

- Since the server performs outbound requests to internal networks, localhost, and metadata endpoints, an attacker can abuse the server’s network position to access internal resources (internal APIs, management ports, cloud metadata, etc.).

- As a result, this can lead to exposure of internal system information, leakage of authentication tokens/secret keys (e.g., IMDSv1/v2), misuse of internal admin interfaces, and provide a foothold for further lateral movement.

- By leveraging user-supplied impls to force the unfiltered naive implementation, SSRF defenses—such as blocking private/metadata IPs, DNS re-validation/re-resolution, and redirect restrictions—can be bypassed.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-62505
reference_id
reference_type
scores
0
value 0.00026
scoring_system epss
scoring_elements 0.07857
published_at 2026-06-07T12:55:00Z
1
value 0.00026
scoring_system epss
scoring_elements 0.07884
published_at 2026-06-06T12:55:00Z
2
value 0.00026
scoring_system epss
scoring_elements 0.07871
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-62505
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 3.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/blob/d942a635b36a231156c60d824afa573af8032572/packages/web-crawler/src/crawImpl/naive.ts#L39-L45
reference_id
reference_type
scores
0
value 3.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat/blob/d942a635b36a231156c60d824afa573af8032572/packages/web-crawler/src/crawImpl/naive.ts#L39-L45
3
reference_url https://github.com/lobehub/lobe-chat/commit/8d59583dca16f218b99213d641733d8ba77f182c
reference_id
reference_type
scores
0
value 3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
1
value 3.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T18:30:45Z/
url https://github.com/lobehub/lobe-chat/commit/8d59583dca16f218b99213d641733d8ba77f182c
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-62505
reference_id CVE-2025-62505
reference_type
scores
0
value 3.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-62505
5
reference_url https://github.com/advisories/GHSA-fgx4-p8xf-qhp9
reference_id GHSA-fgx4-p8xf-qhp9
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fgx4-p8xf-qhp9
6
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-fgx4-p8xf-qhp9
reference_id GHSA-fgx4-p8xf-qhp9
reference_type
scores
0
value 3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
1
value 3.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N
2
value LOW
scoring_system cvssv3.1_qr
scoring_elements
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T18:30:45Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-fgx4-p8xf-qhp9
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.136.2
purl pkg:npm/%40lobehub/chat@1.136.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-fkv5-wm1u-pfh5
2
vulnerability VCID-fxza-2edn-ubhh
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.136.2
aliases CVE-2025-62505, GHSA-fgx4-p8xf-qhp9
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-az37-1hae-y7h4
3
url VCID-facw-4ca9-ayfr
vulnerability_id VCID-facw-4ca9-ayfr
summary 
Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages
We identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59417
reference_id
reference_type
scores
0
value 0.00221
scoring_system epss
scoring_elements 0.448
published_at 2026-06-07T12:55:00Z
1
value 0.00221
scoring_system epss
scoring_elements 0.44822
published_at 2026-06-06T12:55:00Z
2
value 0.00221
scoring_system epss
scoring_elements 0.44815
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59417
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/apps/desktop/src/main/controllers/SystemCtr.ts#L65-L68
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/apps/desktop/src/main/controllers/SystemCtr.ts#L65-L68
3
reference_url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/index.ts#L7-L11
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/index.ts#L7-L11
4
reference_url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/rehypePlugin.ts#L50-L68
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/rehypePlugin.ts#L50-L68
5
reference_url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/index.tsx#L10-L32
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/index.tsx#L10-L32
6
reference_url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/SVG.tsx#L67-L79
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/SVG.tsx#L67-L79
7
reference_url https://github.com/lobehub/lobe-chat/commit/9f044edd07ce102fe9f4b2fb47c62191c36da05c
reference_id
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-19T17:01:22Z/
url https://github.com/lobehub/lobe-chat/commit/9f044edd07ce102fe9f4b2fb47c62191c36da05c
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59417
reference_id CVE-2025-59417
reference_type
scores
0
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59417
9
reference_url https://github.com/advisories/GHSA-m79r-r765-5f9j
reference_id GHSA-m79r-r765-5f9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-m79r-r765-5f9j
10
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-m79r-r765-5f9j
reference_id GHSA-m79r-r765-5f9j
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-19T17:01:22Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-m79r-r765-5f9j
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.129.4
purl pkg:npm/%40lobehub/chat@1.129.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-az37-1hae-y7h4
2
vulnerability VCID-fkv5-wm1u-pfh5
3
vulnerability VCID-fxza-2edn-ubhh
4
vulnerability VCID-qf24-bv2y-6bcp
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.129.4
aliases CVE-2025-59417, GHSA-m79r-r765-5f9j
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-facw-4ca9-ayfr
4
url VCID-fkv5-wm1u-pfh5
vulnerability_id VCID-fkv5-wm1u-pfh5
summary 
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23522
reference_id
reference_type
scores
0
value 0.00066
scoring_system epss
scoring_elements 0.20524
published_at 2026-06-07T12:55:00Z
1
value 0.00066
scoring_system epss
scoring_elements 0.20564
published_at 2026-06-06T12:55:00Z
2
value 0.00066
scoring_system epss
scoring_elements 0.20577
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23522
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:35:33Z/
url https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23522
reference_id CVE-2026-23522
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23522
4
reference_url https://github.com/advisories/GHSA-j7xp-4mg9-x28r
reference_id GHSA-j7xp-4mg9-x28r
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j7xp-4mg9-x28r
5
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r
reference_id GHSA-j7xp-4mg9-x28r
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:35:33Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r
fixed_packages
aliases CVE-2026-23522, GHSA-j7xp-4mg9-x28r
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fkv5-wm1u-pfh5
5
url VCID-fxza-2edn-ubhh
vulnerability_id VCID-fxza-2edn-ubhh
summary 
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)
A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23733
reference_id
reference_type
scores
0
value 0.00151
scoring_system epss
scoring_elements 0.35462
published_at 2026-06-07T12:55:00Z
1
value 0.00151
scoring_system epss
scoring_elements 0.35501
published_at 2026-06-06T12:55:00Z
2
value 0.00151
scoring_system epss
scoring_elements 0.35489
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23733
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23733
reference_id CVE-2026-23733
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23733
3
reference_url https://github.com/advisories/GHSA-4gpc-rhpj-9443
reference_id GHSA-4gpc-rhpj-9443
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4gpc-rhpj-9443
4
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
reference_id GHSA-4gpc-rhpj-9443
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L
1
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:28Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
5
reference_url https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443
reference_id GHSA-4gpc-rhpj-9443
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443
fixed_packages
aliases CVE-2026-23733, GHSA-4gpc-rhpj-9443
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fxza-2edn-ubhh
6
url VCID-g4u9-b2aj-s3gy
vulnerability_id VCID-g4u9-b2aj-s3gy
summary 
lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)
SSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-47066
reference_id
reference_type
scores
0
value 0.05777
scoring_system epss
scoring_elements 0.90656
published_at 2026-06-06T12:55:00Z
1
value 0.05777
scoring_system epss
scoring_elements 0.90653
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-47066
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/
url https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts
3
reference_url https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/
url https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-47066
reference_id CVE-2024-47066
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-47066
5
reference_url https://github.com/advisories/GHSA-3fc8-2r3f-8wrg
reference_id GHSA-3fc8-2r3f-8wrg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-3fc8-2r3f-8wrg
6
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg
reference_id GHSA-3fc8-2r3f-8wrg
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg
7
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
reference_id GHSA-mxhq-xw3g-rphc
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
2
value 6.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.19.13
purl pkg:npm/%40lobehub/chat@1.19.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-az37-1hae-y7h4
2
vulnerability VCID-facw-4ca9-ayfr
3
vulnerability VCID-fkv5-wm1u-pfh5
4
vulnerability VCID-fxza-2edn-ubhh
5
vulnerability VCID-qf24-bv2y-6bcp
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.19.13
aliases CVE-2024-47066, GHSA-3fc8-2r3f-8wrg
risk_score 4.0
exploitability 0.5
weighted_severity 8.1
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g4u9-b2aj-s3gy
7
url VCID-kjm4-xj32-fyea
vulnerability_id VCID-kjm4-xj32-fyea
summary 
lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability
The latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-32964
reference_id
reference_type
scores
0
value 0.71676
scoring_system epss
scoring_elements 0.98752
published_at 2026-06-07T12:55:00Z
1
value 0.71676
scoring_system epss
scoring_elements 0.98753
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-32964
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
reference_id
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
2
value CRITICAL
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-10T17:50:39Z/
url https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-32964
reference_id CVE-2024-32964
reference_type
scores
0
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-32964
4
reference_url https://github.com/advisories/GHSA-mxhq-xw3g-rphc
reference_id GHSA-mxhq-xw3g-rphc
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mxhq-xw3g-rphc
5
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
reference_id GHSA-mxhq-xw3g-rphc
reference_type
scores
0
value 9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
1
value 9.0
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-10T17:50:39Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc
fixed_packages
0
url pkg:npm/%40lobehub/chat@0.150.6
purl pkg:npm/%40lobehub/chat@0.150.6
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-8qh9-2q7c-tqfd
2
vulnerability VCID-az37-1hae-y7h4
3
vulnerability VCID-facw-4ca9-ayfr
4
vulnerability VCID-fkv5-wm1u-pfh5
5
vulnerability VCID-fxza-2edn-ubhh
6
vulnerability VCID-g4u9-b2aj-s3gy
7
vulnerability VCID-p67q-uhv9-e3fe
8
vulnerability VCID-qf24-bv2y-6bcp
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.150.6
aliases CVE-2024-32964, GHSA-mxhq-xw3g-rphc
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kjm4-xj32-fyea
8
url VCID-p67q-uhv9-e3fe
vulnerability_id VCID-p67q-uhv9-e3fe
summary 
@lobehub/chat Server Side Request Forgery vulnerability
lobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-32965
reference_id
reference_type
scores
0
value 0.03119
scoring_system epss
scoring_elements 0.87097
published_at 2026-06-07T12:55:00Z
1
value 0.03119
scoring_system epss
scoring_elements 0.87102
published_at 2026-06-06T12:55:00Z
2
value 0.03119
scoring_system epss
scoring_elements 0.87105
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-32965
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf
reference_id
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T18:47:02Z/
url https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-32965
reference_id CVE-2024-32965
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-32965
4
reference_url https://github.com/advisories/GHSA-2xcc-vm3f-m8rw
reference_id GHSA-2xcc-vm3f-m8rw
reference_type
scores
url https://github.com/advisories/GHSA-2xcc-vm3f-m8rw
5
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-2xcc-vm3f-m8rw
reference_id GHSA-2xcc-vm3f-m8rw
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L
1
value 7.0
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T18:47:02Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-2xcc-vm3f-m8rw
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.19.13
purl pkg:npm/%40lobehub/chat@1.19.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-az37-1hae-y7h4
2
vulnerability VCID-facw-4ca9-ayfr
3
vulnerability VCID-fkv5-wm1u-pfh5
4
vulnerability VCID-fxza-2edn-ubhh
5
vulnerability VCID-qf24-bv2y-6bcp
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.19.13
aliases CVE-2024-32965, GHSA-2xcc-vm3f-m8rw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-p67q-uhv9-e3fe
9
url VCID-qf24-bv2y-6bcp
vulnerability_id VCID-qf24-bv2y-6bcp
summary 
lobe-chat has an Open Redirect
---

- It can force users to redirect to untrusted external domains, leading to subsequent attacks such as phishing, credential harvesting, and session fixation.
- It can disrupt the OAuth/OIDC flow user experience by redirecting users to malicious domains disguised as legitimate pages (even though this path doesn't directly include tokens, it can be exploited for social engineering attacks through redirect chains).
- The impact can be amplified when redirect chains are combined with other vulnerabilities such as CSP bypass or cache poisoning.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-59426
reference_id
reference_type
scores
0
value 0.00153
scoring_system epss
scoring_elements 0.35743
published_at 2026-06-07T12:55:00Z
1
value 0.00153
scoring_system epss
scoring_elements 0.35783
published_at 2026-06-06T12:55:00Z
2
value 0.00153
scoring_system epss
scoring_elements 0.35772
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-59426
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-25T14:18:07Z/
url https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127
3
reference_url https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-25T14:18:07Z/
url https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59426
reference_id CVE-2025-59426
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59426
5
reference_url https://github.com/advisories/GHSA-xph5-278p-26qx
reference_id GHSA-xph5-278p-26qx
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xph5-278p-26qx
6
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
reference_id GHSA-xph5-278p-26qx
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-25T14:18:07Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.130.1
purl pkg:npm/%40lobehub/chat@1.130.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-az37-1hae-y7h4
2
vulnerability VCID-fkv5-wm1u-pfh5
3
vulnerability VCID-fxza-2edn-ubhh
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.130.1
aliases CVE-2025-59426, GHSA-xph5-278p-26qx
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qf24-bv2y-6bcp
10
url VCID-vrt2-ung9-vufw
vulnerability_id VCID-vrt2-ung9-vufw
summary 
Improper Access Control
Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-24566
reference_id
reference_type
scores
0
value 0.00139
scoring_system epss
scoring_elements 0.33778
published_at 2026-06-07T12:55:00Z
1
value 0.00139
scoring_system epss
scoring_elements 0.33812
published_at 2026-06-06T12:55:00Z
2
value 0.00139
scoring_system epss
scoring_elements 0.33796
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-24566
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-31T19:29:39Z/
url https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-24566
reference_id CVE-2024-24566
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-24566
4
reference_url https://github.com/advisories/GHSA-pf55-fj96-xf37
reference_id GHSA-pf55-fj96-xf37
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-pf55-fj96-xf37
5
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37
reference_id GHSA-pf55-fj96-xf37
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-31T19:29:39Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37
fixed_packages
0
url pkg:npm/%40lobehub/chat@0.122.4
purl pkg:npm/%40lobehub/chat@0.122.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-78pn-bez6-nuat
1
vulnerability VCID-8qh9-2q7c-tqfd
2
vulnerability VCID-az37-1hae-y7h4
3
vulnerability VCID-facw-4ca9-ayfr
4
vulnerability VCID-fkv5-wm1u-pfh5
5
vulnerability VCID-fxza-2edn-ubhh
6
vulnerability VCID-g4u9-b2aj-s3gy
7
vulnerability VCID-kjm4-xj32-fyea
8
vulnerability VCID-p67q-uhv9-e3fe
9
vulnerability VCID-qf24-bv2y-6bcp
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.122.4
aliases CVE-2024-24566, GHSA-pf55-fj96-xf37
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vrt2-ung9-vufw
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.117.5