Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/73490?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/73490?format=api", "purl": "pkg:npm/%40lobehub/chat@1.143.2", "type": "npm", "namespace": "@lobehub", "name": "chat", "version": "1.143.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "0.122.4", "latest_non_vulnerable_version": "1.143.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49765?format=api", "vulnerability_id": "VCID-fkv5-wm1u-pfh5", "summary": "Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion\n`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.", "references": [ { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23522", "reference_id": "CVE-2026-23522", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23522" }, { "reference_url": "https://github.com/advisories/GHSA-j7xp-4mg9-x28r", "reference_id": "GHSA-j7xp-4mg9-x28r", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-j7xp-4mg9-x28r" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r", "reference_id": "GHSA-j7xp-4mg9-x28r", "reference_type": "", "scores": [], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r" } ], "fixed_packages": [], "aliases": [ "CVE-2026-23522", "GHSA-j7xp-4mg9-x28r" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fkv5-wm1u-pfh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49763?format=api", "vulnerability_id": "VCID-fxza-2edn-ubhh", "summary": "Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)\nA stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).", "references": [ { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23733", "reference_id": "CVE-2026-23733", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23733" }, { "reference_url": "https://github.com/advisories/GHSA-4gpc-rhpj-9443", "reference_id": "GHSA-4gpc-rhpj-9443", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-4gpc-rhpj-9443" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443", "reference_id": "GHSA-4gpc-rhpj-9443", "reference_type": "", "scores": [], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443" }, { "reference_url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443", "reference_id": "GHSA-4gpc-rhpj-9443", "reference_type": "", "scores": [], "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443" } ], "fixed_packages": [], "aliases": [ "CVE-2026-23733", "GHSA-4gpc-rhpj-9443" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fxza-2edn-ubhh" } ], "fixing_vulnerabilities": [], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.143.2" }