@lobehub/chat (npm) — known CVEs & security advisories
Known CVE vulnerabilities and GitHub Security Advisories affecting the npm package @lobehub/chat, with affected version ranges, CVSS severity, EPSS exploit prediction, and CISA KEV status.
CVEs (11)
CVE-2024-32964 — CVSS 9.0 (critical): Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. Prior to 0.150.6…
CVE-2024-47066 — CVSS 9.0 (critical): Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.19.13, server-side request forgery protection…
CVE-2024-32965 — CVSS 8.1 (high): Lobe Chat is an open-source, AI chat framework. Versions of lobe-chat prior to 1.19.13 have an unauthorized ssrf vulnerability. An attacker…
CVE-2026-23733 — CVSS 6.4 (medium): LobeChat is an open source chat application platform. Prior to version 2.0.0-next.180, a stored Cross-Site Scripting (XSS) vulnerability in…
CVE-2025-59417 — CVSS 6.1 (medium): Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.129.4, there is a a cross-site scripting (XSS)…
CVE-2026-23835: LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload`…
CVE-2024-37895 — CVSS 5.7 (medium): Lobe Chat is an open-source LLMs/AI chat framework. In affected versions if an attacker can successfully authenticate through SSO/Access…
CVE-2024-24566 — CVSS 5.3 (medium): Lobe Chat is a chatbot framework that supports speech synthesis, multimodal, and extensible Function Call plugin system. When the…
CVE-2025-59426 — CVSS 4.3 (medium): Lobe Chat is an open-source artificial intelligence chat framework. Prior to version 1.130.1, the project's OIDC redirect handling logic…
CVE-2026-23522 — CVSS 3.7 (low): LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep…
CVE-2025-62505 — CVSS 3.0 (low): LobeChat is an open source chat application platform. The web-crawler package in LobeChat version 1.136.1 allows server-side request…