{"url":"http://public2.vulnerablecode.io/api/packages/73490?format=json","purl":"pkg:npm/%40lobehub/chat@1.143.2","type":"npm","namespace":"@lobehub","name":"chat","version":"1.143.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.143.3","latest_non_vulnerable_version":"1.143.3","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49765?format=json","vulnerability_id":"VCID-fkv5-wm1u-pfh5","summary":"Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion\n`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.","references":[{"reference_url":"https://github.com/lobehub/lobe-chat","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat"},{"reference_url":"https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23522","reference_id":"CVE-2026-23522","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23522"},{"reference_url":"https://github.com/advisories/GHSA-j7xp-4mg9-x28r","reference_id":"GHSA-j7xp-4mg9-x28r","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-j7xp-4mg9-x28r"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r","reference_id":"GHSA-j7xp-4mg9-x28r","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r"}],"fixed_packages":[],"aliases":["CVE-2026-23522","GHSA-j7xp-4mg9-x28r"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fkv5-wm1u-pfh5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49763?format=json","vulnerability_id":"VCID-fxza-2edn-ubhh","summary":"Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)\nA stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).","references":[{"reference_url":"https://github.com/lobehub/lobe-chat","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23733","reference_id":"CVE-2026-23733","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-23733"},{"reference_url":"https://github.com/advisories/GHSA-4gpc-rhpj-9443","reference_id":"GHSA-4gpc-rhpj-9443","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-4gpc-rhpj-9443"},{"reference_url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443","reference_id":"GHSA-4gpc-rhpj-9443","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443"},{"reference_url":"https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443","reference_id":"GHSA-4gpc-rhpj-9443","reference_type":"","scores":[],"url":"https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443"}],"fixed_packages":[],"aliases":["CVE-2026-23733","GHSA-4gpc-rhpj-9443"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fxza-2edn-ubhh"}],"fixing_vulnerabilities":[],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.143.2"}