CVE-2026-59095 is a high-severity server-side request forgery vulnerability in LobeChat before 2.2.10-canary.18. Authenticated attackers can exploit this to direct internal HTTP requests to arbitrary URLs, potentially disclosing internal service responses and cloud credentials. The vulnerability exists in the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints of Lobe [truncated]
CVE-2026-58578 is a regular expression denial of service (ReDoS) vulnerability in LobeChat before version 2.2.10-canary.15. The vulnerability allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. This can cause a denial of service to all concurrent users for tens of seconds per request. The vulne [truncated]