Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/711642?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/711642?format=api", "purl": "pkg:npm/%40lobehub/chat@0.117.5", "type": "npm", "namespace": "@lobehub", "name": "chat", "version": "0.117.5", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.143.3", "latest_non_vulnerable_version": "1.143.3", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49906?format=api", "vulnerability_id": "VCID-78pn-bez6-nuat", "summary": "LobeHub Vulnerable to Improper Authorization in Presigned Upload\nThe file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23835", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.1316", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.132", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00042", "scoring_system": "epss", "scoring_elements": "0.13197", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23835" }, { "reference_url": "https://github.com/lobehub/lobehub", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobehub" }, { "reference_url": "https://github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23835", "reference_id": "CVE-2026-23835", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23835" }, { "reference_url": "https://github.com/advisories/GHSA-wrrr-8jcv-wjf5", "reference_id": "GHSA-wrrr-8jcv-wjf5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wrrr-8jcv-wjf5" }, { "reference_url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5", "reference_id": "GHSA-wrrr-8jcv-wjf5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-30T20:21:13Z/" } ], "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/73758?format=api", "purl": "pkg:npm/%40lobehub/chat@1.143.3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.143.3" } ], "aliases": [ "CVE-2026-23835", "GHSA-wrrr-8jcv-wjf5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-78pn-bez6-nuat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55381?format=api", "vulnerability_id": "VCID-8qh9-2q7c-tqfd", "summary": "Lobe Chat API Key Leak\nIf an attacker can successfully authenticate through SSO/Access Code, they can obtain the real backend API Key by modifying the base URL to their own attack URL on the frontend and setting up a server-side request.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37895", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00467", "scoring_system": "epss", "scoring_elements": "0.64808", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00467", "scoring_system": "epss", "scoring_elements": "0.64819", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00467", "scoring_system": "epss", "scoring_elements": "0.64809", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-37895" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37895", "reference_id": "CVE-2024-37895", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37895" }, { "reference_url": "https://github.com/advisories/GHSA-p36r-qxgx-jq2v", "reference_id": "GHSA-p36r-qxgx-jq2v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p36r-qxgx-jq2v" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v", "reference_id": "GHSA-p36r-qxgx-jq2v", "reference_type": "", "scores": [ { "value": "5.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-06-18T14:05:08Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-p36r-qxgx-jq2v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81879?format=api", "purl": "pkg:npm/%40lobehub/chat@0.162.25", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-facw-4ca9-ayfr" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" }, { "vulnerability": "VCID-g4u9-b2aj-s3gy" }, { "vulnerability": "VCID-p67q-uhv9-e3fe" }, { "vulnerability": "VCID-qf24-bv2y-6bcp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.162.25" } ], "aliases": [ "CVE-2024-37895", "GHSA-p36r-qxgx-jq2v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8qh9-2q7c-tqfd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48067?format=api", "vulnerability_id": "VCID-az37-1hae-y7h4", "summary": "Lobe Chat vulnerable to Server-Side Request Forgery with native web fetch module\n---\n\n- Since the server performs outbound requests to internal networks, localhost, and metadata endpoints, an attacker can abuse the server’s network position to access internal resources (internal APIs, management ports, cloud metadata, etc.).\n\n- As a result, this can lead to exposure of internal system information, leakage of authentication tokens/secret keys (e.g., IMDSv1/v2), misuse of internal admin interfaces, and provide a foothold for further lateral movement.\n\n- By leveraging user-supplied impls to force the unfiltered naive implementation, SSRF defenses—such as blocking private/metadata IPs, DNS re-validation/re-resolution, and redirect restrictions—can be bypassed.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62505", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07857", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07884", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00026", "scoring_system": "epss", "scoring_elements": "0.07871", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-62505" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/d942a635b36a231156c60d824afa573af8032572/packages/web-crawler/src/crawImpl/naive.ts#L39-L45", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat/blob/d942a635b36a231156c60d824afa573af8032572/packages/web-crawler/src/crawImpl/naive.ts#L39-L45" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/8d59583dca16f218b99213d641733d8ba77f182c", "reference_id": "", "reference_type": "", "scores": [ { "value": "3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T18:30:45Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/8d59583dca16f218b99213d641733d8ba77f182c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62505", "reference_id": "CVE-2025-62505", "reference_type": "", "scores": [ { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62505" }, { "reference_url": "https://github.com/advisories/GHSA-fgx4-p8xf-qhp9", "reference_id": "GHSA-fgx4-p8xf-qhp9", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-fgx4-p8xf-qhp9" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-fgx4-p8xf-qhp9", "reference_id": "GHSA-fgx4-p8xf-qhp9", "reference_type": "", "scores": [ { "value": "3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "3.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-17T18:30:45Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-fgx4-p8xf-qhp9" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70987?format=api", "purl": "pkg:npm/%40lobehub/chat@1.136.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.136.2" } ], "aliases": [ "CVE-2025-62505", "GHSA-fgx4-p8xf-qhp9" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-az37-1hae-y7h4" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47813?format=api", "vulnerability_id": "VCID-facw-4ca9-ayfr", "summary": "Lobe Chat Desktop vulnerable to Remote Code Execution via XSS in Chat Messages\nWe identified a cross-site scripting (XSS) vulnerability when handling chat message in lobe-chat that can be escalated to remote code execution on the user’s machine. Any party capable of injecting content into chat messages, such as hosting a malicious page for prompt injection, operating a compromised MCP server, or leveraging tool integrations, can exploit this vulnerability.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.448", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44822", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44815", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59417" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/apps/desktop/src/main/controllers/SystemCtr.ts#L65-L68", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/apps/desktop/src/main/controllers/SystemCtr.ts#L65-L68" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/index.ts#L7-L11", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/index.ts#L7-L11" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/rehypePlugin.ts#L50-L68", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Conversation/components/MarkdownElements/LobeArtifact/rehypePlugin.ts#L50-L68" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/index.tsx#L10-L32", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/index.tsx#L10-L32" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/SVG.tsx#L67-L79", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat/blob/0a1dcf943ea294e35acbe57d07f7974efede8e2e/src/features/Portal/Artifacts/Body/Renderer/SVG.tsx#L67-L79" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/9f044edd07ce102fe9f4b2fb47c62191c36da05c", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-19T17:01:22Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/9f044edd07ce102fe9f4b2fb47c62191c36da05c" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59417", "reference_id": "CVE-2025-59417", "reference_type": "", "scores": [ { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59417" }, { "reference_url": "https://github.com/advisories/GHSA-m79r-r765-5f9j", "reference_id": "GHSA-m79r-r765-5f9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-m79r-r765-5f9j" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-m79r-r765-5f9j", "reference_id": "GHSA-m79r-r765-5f9j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.8", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2025-09-19T17:01:22Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-m79r-r765-5f9j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70566?format=api", "purl": "pkg:npm/%40lobehub/chat@1.129.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" }, { "vulnerability": "VCID-qf24-bv2y-6bcp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.129.4" } ], "aliases": [ "CVE-2025-59417", "GHSA-m79r-r765-5f9j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-facw-4ca9-ayfr" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49765?format=api", "vulnerability_id": "VCID-fkv5-wm1u-pfh5", "summary": "Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion\n`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23522", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20524", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20564", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00066", "scoring_system": "epss", "scoring_elements": "0.20577", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23522" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:35:33Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23522", "reference_id": "CVE-2026-23522", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23522" }, { "reference_url": "https://github.com/advisories/GHSA-j7xp-4mg9-x28r", "reference_id": "GHSA-j7xp-4mg9-x28r", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-j7xp-4mg9-x28r" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r", "reference_id": "GHSA-j7xp-4mg9-x28r", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:35:33Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r" } ], "fixed_packages": [], "aliases": [ "CVE-2026-23522", "GHSA-j7xp-4mg9-x28r" ], "risk_score": 1.6, "exploitability": "0.5", "weighted_severity": "3.3", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fkv5-wm1u-pfh5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/49763?format=api", "vulnerability_id": "VCID-fxza-2edn-ubhh", "summary": "Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)\nA stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23733", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35462", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35501", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00151", "scoring_system": "epss", "scoring_elements": "0.35489", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-23733" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23733", "reference_id": "CVE-2026-23733", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23733" }, { "reference_url": "https://github.com/advisories/GHSA-4gpc-rhpj-9443", "reference_id": "GHSA-4gpc-rhpj-9443", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4gpc-rhpj-9443" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443", "reference_id": "GHSA-4gpc-rhpj-9443", "reference_type": "", "scores": [ { "value": "6.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L" }, { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:28Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443" }, { "reference_url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443", "reference_id": "GHSA-4gpc-rhpj-9443", "reference_type": "", "scores": [ { "value": "9.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443" } ], "fixed_packages": [], "aliases": [ "CVE-2026-23733", "GHSA-4gpc-rhpj-9443" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fxza-2edn-ubhh" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/55885?format=api", "vulnerability_id": "VCID-g4u9-b2aj-s3gy", "summary": "lobe-chat implemented an insufficient fix for GHSA-mxhq-xw3g-rphc (CVE-2024-32964)\nSSRF protection implemented in https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts does not consider redirect and could be bypassed when attacker provides external malicious url which redirects to internal resources like private network or loopback address.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47066", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.05777", "scoring_system": "epss", "scoring_elements": "0.90656", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.05777", "scoring_system": "epss", "scoring_elements": "0.90653", "published_at": "2026-06-07T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-47066" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts", "reference_id": "", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/" } ], "url": "https://github.com/lobehub/lobe-chat/blob/main/src/app/api/proxy/route.ts" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf", "reference_id": "", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47066", "reference_id": "CVE-2024-47066", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-47066" }, { "reference_url": "https://github.com/advisories/GHSA-3fc8-2r3f-8wrg", "reference_id": "GHSA-3fc8-2r3f-8wrg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3fc8-2r3f-8wrg" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg", "reference_id": "GHSA-3fc8-2r3f-8wrg", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-3fc8-2r3f-8wrg" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc", "reference_id": "GHSA-mxhq-xw3g-rphc", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "6.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:H" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-09-23T15:39:49Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82778?format=api", "purl": "pkg:npm/%40lobehub/chat@1.19.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-facw-4ca9-ayfr" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" }, { "vulnerability": "VCID-qf24-bv2y-6bcp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.19.13" } ], "aliases": [ "CVE-2024-47066", "GHSA-3fc8-2r3f-8wrg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.1", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-g4u9-b2aj-s3gy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/54769?format=api", "vulnerability_id": "VCID-kjm4-xj32-fyea", "summary": "lobe-chat `/api/proxy` endpoint Server-Side Request Forgery vulnerability\nThe latest version of lobe-chat(by now v0.141.2) has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32964", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.71676", "scoring_system": "epss", "scoring_elements": "0.98752", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.71676", "scoring_system": "epss", "scoring_elements": "0.98753", "published_at": "2026-06-06T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32964" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37", "reference_id": "", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-10T17:50:39Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/465665a735556669ee30446c7ea9049a20cc7c37" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32964", "reference_id": "CVE-2024-32964", "reference_type": "", "scores": [ { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32964" }, { "reference_url": "https://github.com/advisories/GHSA-mxhq-xw3g-rphc", "reference_id": "GHSA-mxhq-xw3g-rphc", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxhq-xw3g-rphc" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc", "reference_id": "GHSA-mxhq-xw3g-rphc", "reference_type": "", "scores": [ { "value": "9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "9.0", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-05-10T17:50:39Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-mxhq-xw3g-rphc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/81232?format=api", "purl": "pkg:npm/%40lobehub/chat@0.150.6", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-8qh9-2q7c-tqfd" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-facw-4ca9-ayfr" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" }, { "vulnerability": "VCID-g4u9-b2aj-s3gy" }, { "vulnerability": "VCID-p67q-uhv9-e3fe" }, { "vulnerability": "VCID-qf24-bv2y-6bcp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.150.6" } ], "aliases": [ "CVE-2024-32964", "GHSA-mxhq-xw3g-rphc" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kjm4-xj32-fyea" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/56265?format=api", "vulnerability_id": "VCID-p67q-uhv9-e3fe", "summary": "@lobehub/chat Server Side Request Forgery vulnerability\nlobe-chat before 1.19.13 has an unauthorized ssrf vulnerability. An attacker can construct malicious requests to cause SSRF without logging in, attack intranet services, and leak sensitive information.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32965", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.03119", "scoring_system": "epss", "scoring_elements": "0.87097", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.03119", "scoring_system": "epss", "scoring_elements": "0.87102", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.03119", "scoring_system": "epss", "scoring_elements": "0.87105", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-32965" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T18:47:02Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/e960a23b0c69a5762eb27d776d33dac443058faf" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32965", "reference_id": "CVE-2024-32965", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-32965" }, { "reference_url": "https://github.com/advisories/GHSA-2xcc-vm3f-m8rw", "reference_id": "GHSA-2xcc-vm3f-m8rw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-2xcc-vm3f-m8rw" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-2xcc-vm3f-m8rw", "reference_id": "GHSA-2xcc-vm3f-m8rw", "reference_type": "", "scores": [ { "value": "8.1", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:L/A:L" }, { "value": "7.0", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-11-26T18:47:02Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-2xcc-vm3f-m8rw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/82778?format=api", "purl": "pkg:npm/%40lobehub/chat@1.19.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-facw-4ca9-ayfr" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" }, { "vulnerability": "VCID-qf24-bv2y-6bcp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.19.13" } ], "aliases": [ "CVE-2024-32965", "GHSA-2xcc-vm3f-m8rw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p67q-uhv9-e3fe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47857?format=api", "vulnerability_id": "VCID-qf24-bv2y-6bcp", "summary": "lobe-chat has an Open Redirect\n---\n\n- It can force users to redirect to untrusted external domains, leading to subsequent attacks such as phishing, credential harvesting, and session fixation.\n- It can disrupt the OAuth/OIDC flow user experience by redirecting users to malicious domains disguised as legitimate pages (even though this path doesn't directly include tokens, it can be exploited for social engineering attacks through redirect chains).\n- The impact can be amplified when redirect chains are combined with other vulnerabilities such as CSP bypass or cache poisoning.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59426", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.35743", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.35783", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00153", "scoring_system": "epss", "scoring_elements": "0.35772", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59426" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-25T14:18:07Z/" } ], "url": "https://github.com/lobehub/lobe-chat/blob/aa841a3879c30142720485182ad62aa0dbd74edc/src/app/(backend)/oidc/consent/route.ts#L113-L127" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-25T14:18:07Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/70f52a3c1fadbd41a9db0e699d1e44d9965de445" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59426", "reference_id": "CVE-2025-59426", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59426" }, { "reference_url": "https://github.com/advisories/GHSA-xph5-278p-26qx", "reference_id": "GHSA-xph5-278p-26qx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xph5-278p-26qx" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx", "reference_id": "GHSA-xph5-278p-26qx", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-25T14:18:07Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-xph5-278p-26qx" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70615?format=api", "purl": "pkg:npm/%40lobehub/chat@1.130.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.130.1" } ], "aliases": [ "CVE-2025-59426", "GHSA-xph5-278p-26qx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-qf24-bv2y-6bcp" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/46922?format=api", "vulnerability_id": "VCID-vrt2-ung9-vufw", "summary": "Improper Access Control\nLobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the application is password-protected (deployed with the `ACCESS_CODE` option), it is possible to access plugins without proper authorization (without password). This vulnerability is patched in 0.122.4.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24566", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33778", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33812", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00139", "scoring_system": "epss", "scoring_elements": "0.33796", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-24566" }, { "reference_url": "https://github.com/lobehub/lobe-chat", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/lobehub/lobe-chat" }, { "reference_url": "https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-31T19:29:39Z/" } ], "url": "https://github.com/lobehub/lobe-chat/commit/2184167f09ab68e4efa051ee984ea0c4e7c48fbd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24566", "reference_id": "CVE-2024-24566", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-24566" }, { "reference_url": "https://github.com/advisories/GHSA-pf55-fj96-xf37", "reference_id": "GHSA-pf55-fj96-xf37", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-pf55-fj96-xf37" }, { "reference_url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37", "reference_id": "GHSA-pf55-fj96-xf37", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-01-31T19:29:39Z/" } ], "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-pf55-fj96-xf37" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/68665?format=api", "purl": "pkg:npm/%40lobehub/chat@0.122.4", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-78pn-bez6-nuat" }, { "vulnerability": "VCID-8qh9-2q7c-tqfd" }, { "vulnerability": "VCID-az37-1hae-y7h4" }, { "vulnerability": "VCID-facw-4ca9-ayfr" }, { "vulnerability": "VCID-fkv5-wm1u-pfh5" }, { "vulnerability": "VCID-fxza-2edn-ubhh" }, { "vulnerability": "VCID-g4u9-b2aj-s3gy" }, { "vulnerability": "VCID-kjm4-xj32-fyea" }, { "vulnerability": "VCID-p67q-uhv9-e3fe" }, { "vulnerability": "VCID-qf24-bv2y-6bcp" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.122.4" } ], "aliases": [ "CVE-2024-24566", "GHSA-pf55-fj96-xf37" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vrt2-ung9-vufw" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@0.117.5" }