๐Ÿ” CVE Alert

CVE-2026-58578

MEDIUM 6.5

LobeChat < 2.2.10-canary.15 - Regular Expression Denial of Service in GitHub Skill Import

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

LobeChat before version 2.2.10-canary.15 contains a regular expression denial of service (ReDoS) vulnerability that allows authenticated attackers to block the Node.js event loop by supplying a catastrophic-backtracking pattern in a GitHub repository URL path during skill import. Attackers can craft a malicious basePath value containing unescaped regex metacharacters such as catastrophic-backtracking patterns, which are injected into a dynamically constructed regular expression in the findSkillMd function and executed synchronously against archive entries, denying service to all concurrent users for tens of seconds per request.

CWE CWE-1333
Vendor lobehub
Product lobehub
Published Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for lobehub lobehub

Be the first to know when new medium vulnerabilities affecting lobehub lobehub are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Affected Versions

lobehub / lobehub
0 < 2.2.10-canary.15

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/lobehub/lobehub/releases/tag/v2.2.10-canary.15 github.com: https://github.com/lobehub/lobehub/issues/16494 github.com: https://github.com/lobehub/lobehub/pull/16548 github.com: https://github.com/lobehub/lobehub/commit/349bbe326eb8635d6d9c6a96d12702681ae3a84a vulncheck.com: https://www.vulncheck.com/advisories/lobechat-canary-15-regular-expression-denial-of-service-in-github-skill-import

Credits

George Chen