PatchSiren

lobehub CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH lobehub CVE published 2026-07-02

CVE-2026-59095

CVE-2026-59095 is a high-severity server-side request forgery vulnerability in LobeChat before 2.2.10-canary.18. Authenticated attackers can exploit this to direct internal HTTP requests to arbitrary URLs, potentially disclosing internal service responses and cloud credentials. The vulnerability exists in the skill import service (importFromUrl) and topic cover update (fetchImageFromUrl) endpoints of Lobe [truncated]

HIGH lobehub CVE published 2026-07-02

CVE-2026-58578

CVE-2026-58578 is a regular expression denial of service (ReDoS) vulnerability in LobeChat before version 2.2.10-canary.15. The vulnerability allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. This can cause a denial of service to all concurrent users for tens of seconds per request. The vulne [truncated]