CVE-2026-42045

Published: Mag 12, 2026 Last Modified: Mag 12, 2026
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 6,2
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: high
User Interaction: required
Scope: changed
Confidentiality: high
Integrity: low
Availability: none

Description

AI Translation Available

LobeHub is a work-and-lifestyle space to find, build, and collaborate with agent teammates that grow with you. Prior to 2.1.48, when LobeChat processes custom tags in the Render process of src/features/Portal/Artifacts/Body/Renderer/index.tsx, if no type match is found, it will choose to call the default method, HTMLRenderer, for HTML rendering. If an attacker can induce the LLM to output content containing malicious tags, an XSS vulnerability can be created on the client side. Additionally, Lobechat's Electron main process exposes an IPC interface called runCommand, used to invoke system commands. This interface allows arbitrary command execution and does not filter the command parameter. Therefore, if an attacker can obtain a handle to window.parent.electronAPI via XSS and call the runCommand method of the IPC, the ipcMain process can execute arbitrary system commands with the current user's privileges. This vulnerability is fixed in 2.1.48.

79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Confidentiality Integrity Availability
Potential Impacts:
Bypass Protection Mechanism Read Application Data Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
Likelihood of Exploit: High
View CWE Details
https://github.com/lobehub/lobehub/security/advisories/GHSA…
https://github.com/lobehub/lobehub/security/advisories/GHSA-xq4x-622m-q8fq