Programming & Development
0
UPVOTE
dev.to

CVE-2026-23733: Mermaid's Song: From Flowchart to Remote Code Execution in LobeChat

Mermaid's Song: From Flowchart to Remote Code Execution in LobeChat Vulnerability ID: CVE-2026-23733 CVSS Score: 6.4 Published: 2026-01-20 A stored Cross-Site Scripting (XSS) vulnerability in LobeChat's Mermaid diagram renderer allows attackers to execute arbitrary JavaScript. In the desktop Electron version, this escalates via an exposed IPC bridge to full Remote Code Execution (RCE). TL;DR LobeChat trusted user-supplied text when generating Mermaid diagrams. By injecting malicious HTML into a diagram node label, an attacker can trigger XSS. In the Electron app, this XSS exploits a privileged 'runCommand' API to execute system binaries like calc.exe (or worse) on the victim's machine. ⚠️ Exploit Status: POC Technical Details CWE ID: CWE-94 Attack Vector: Local (via Chat Content) CVSS Score: 6.4 (Medium) EPSS Score: 0.00078 Impact: Remote Code Execution (RCE) Exploit Status: PoC Available Platform: Electron / Node.js

Stefani

Stefani

7d ago
0 0

Discussion

Say something first

It all starts with you—share your thoughts now.

No comments yet.

Be the first to share your take and keep the conversation moving.

Join the conversation

Log in or sign up to add your comment and participate in the discussion!

Log In Sign Up

UPVOTERS

Community appreciation

See who found this content valuable and showed their support.

No upvotes yet.

Be the first to show your appreciation for this content.

TOPICS

Explore the same topics

Discover more content from the topics this post is mapped to.

dev.to
The PHP Criticism You've Never Actually Thought Through

TL;DR — I've been writing PHP for 15 years. I've tried Ruby, Groovy, and Java. I came back each time. This article goes through the serious criticisms of PHP —…
DC

DEV Community

2h ago
0
infoq.com
GitHub Uses eBPF to Eliminate Deployment Risks and Prevent Circ…

GitHub has introduced a new approach to improving deployment safety by leveraging eBPF, enabling the company to detect and prevent hidden circular dependencies…
IN

InfoQ

2h ago
0
dev.to
I Built an AI Agent to Do My Pre-Refinement. It Turned Into a M…

1 hour. Seven hours. Same ticket, same prompt, two days apart. The agent wasn't broken. It was showing me what my team had been doing silently for years. But…
DC

DEV Community

6h ago
0
dev.to
Tutorial: Build High-Throughput APIs with Go 1.24 and Gin 1.10

In 2024, API throughput remains the single biggest bottleneck for 68% of backend teams, with 42% of Go-based services failing to exceed 10k requests per second…
DC

DEV Community

6h ago
0
dev.to
We Ditched Open Plan Offices for Private Workspaces: Improved F…

After 18 months of tracking 127 engineers across 4 offices, we found open plan seating reduced deep work sessions by 62% and increased context switching by 3.…
JR

Jamie Rodriguez

8h ago
0
dev.to
PostSathi - I got tired of making daily posts for my business… …

Hey everyone, Not sure if this is the right place, but I wanted to share something I’ve been working on (and also get honest feedback). I run a small local s…
DC

DEV Community

8h ago
0

Keep browsing

Explore more from this topic

Dive into the full feed of curated posts covering Programming & Development.

Browse Topics

RELATED CONTENT

Continue exploring

Discover more content that aligns with your interests and this post.


Fatal error: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'Song: From Flowchart to Remote Code Execution in LobeChat', '%') THEN 4 ...' at line 24 in /data/c/9/c9112b04-975e-4759-b3de-bc4061bd2afe/upvote.link/public_html/content.php:3133 Stack trace: #0 /data/c/9/c9112b04-975e-4759-b3de-bc4061bd2afe/upvote.link/public_html/content.php(3133): mysqli->prepare('\n ...') #1 {main} thrown in /data/c/9/c9112b04-975e-4759-b3de-bc4061bd2afe/upvote.link/public_html/content.php on line 3133