Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/%40lobehub/chat@1.141.9
Typenpm
Namespace@lobehub
Namechat
Version1.141.9
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.143.3
Latest_non_vulnerable_version1.143.3
Affected_by_vulnerabilities
0
url VCID-78pn-bez6-nuat
vulnerability_id VCID-78pn-bez6-nuat
summary 
LobeHub Vulnerable to Improper Authorization in Presigned Upload
The file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23835
reference_id
reference_type
scores
0
value 0.00042
scoring_system epss
scoring_elements 0.1316
published_at 2026-06-07T12:55:00Z
1
value 0.00042
scoring_system epss
scoring_elements 0.13117
published_at 2026-06-09T12:55:00Z
2
value 0.00042
scoring_system epss
scoring_elements 0.13086
published_at 2026-06-08T12:55:00Z
3
value 0.00042
scoring_system epss
scoring_elements 0.132
published_at 2026-06-06T12:55:00Z
4
value 0.00042
scoring_system epss
scoring_elements 0.13197
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23835
1
reference_url https://github.com/lobehub/lobehub
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobehub
2
reference_url https://github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
reference_id
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobehub/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23835
reference_id CVE-2026-23835
reference_type
scores
0
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23835
4
reference_url https://github.com/advisories/GHSA-wrrr-8jcv-wjf5
reference_id GHSA-wrrr-8jcv-wjf5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wrrr-8jcv-wjf5
5
reference_url https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
reference_id GHSA-wrrr-8jcv-wjf5
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-30T20:21:13Z/
url https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5
fixed_packages
0
url pkg:npm/%40lobehub/chat@1.143.3
purl pkg:npm/%40lobehub/chat@1.143.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.143.3
aliases CVE-2026-23835, GHSA-wrrr-8jcv-wjf5
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-78pn-bez6-nuat
1
url VCID-fkv5-wm1u-pfh5
vulnerability_id VCID-fkv5-wm1u-pfh5
summary 
Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion
`knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23522
reference_id
reference_type
scores
0
value 0.00066
scoring_system epss
scoring_elements 0.20564
published_at 2026-06-06T12:55:00Z
1
value 0.00066
scoring_system epss
scoring_elements 0.20463
published_at 2026-06-09T12:55:00Z
2
value 0.00066
scoring_system epss
scoring_elements 0.20455
published_at 2026-06-08T12:55:00Z
3
value 0.00066
scoring_system epss
scoring_elements 0.20524
published_at 2026-06-07T12:55:00Z
4
value 0.00066
scoring_system epss
scoring_elements 0.20577
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23522
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:35:33Z/
url https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23522
reference_id CVE-2026-23522
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23522
4
reference_url https://github.com/advisories/GHSA-j7xp-4mg9-x28r
reference_id GHSA-j7xp-4mg9-x28r
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-j7xp-4mg9-x28r
5
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r
reference_id GHSA-j7xp-4mg9-x28r
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T21:35:33Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r
fixed_packages
aliases CVE-2026-23522, GHSA-j7xp-4mg9-x28r
risk_score 1.6
exploitability 0.5
weighted_severity 3.3
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fkv5-wm1u-pfh5
2
url VCID-fxza-2edn-ubhh
vulnerability_id VCID-fxza-2edn-ubhh
summary 
Lobe Chat affected by Cross-Site Scripting(XSS) that can escalate to Remote Code Execution(RCE)
A stored Cross-Site Scripting (XSS) vulnerability in the Mermaid artifact renderer allows attackers to execute arbitrary JavaScript within the application context. This XSS can be escalated to Remote Code Execution (RCE).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-23733
reference_id
reference_type
scores
0
value 0.00151
scoring_system epss
scoring_elements 0.35462
published_at 2026-06-07T12:55:00Z
1
value 0.00151
scoring_system epss
scoring_elements 0.35441
published_at 2026-06-09T12:55:00Z
2
value 0.00151
scoring_system epss
scoring_elements 0.35422
published_at 2026-06-08T12:55:00Z
3
value 0.00151
scoring_system epss
scoring_elements 0.35501
published_at 2026-06-06T12:55:00Z
4
value 0.00151
scoring_system epss
scoring_elements 0.35489
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-23733
1
reference_url https://github.com/lobehub/lobe-chat
reference_id
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobe-chat
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-23733
reference_id CVE-2026-23733
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-23733
3
reference_url https://github.com/advisories/GHSA-4gpc-rhpj-9443
reference_id GHSA-4gpc-rhpj-9443
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-4gpc-rhpj-9443
4
reference_url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
reference_id GHSA-4gpc-rhpj-9443
reference_type
scores
0
value 6.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:L/A:L
1
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
2
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
3
value CRITICAL
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-01-20T19:37:28Z/
url https://github.com/lobehub/lobe-chat/security/advisories/GHSA-4gpc-rhpj-9443
5
reference_url https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443
reference_id GHSA-4gpc-rhpj-9443
reference_type
scores
0
value 9.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
1
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/lobehub/lobehub/security/advisories/GHSA-4gpc-rhpj-9443
fixed_packages
aliases CVE-2026-23733, GHSA-4gpc-rhpj-9443
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fxza-2edn-ubhh
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/%2540lobehub/chat@1.141.9