SB2026042785 - Cross-site scripting in LibreChat
Published: April 27, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2025-66452)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green
The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.
The vulnerability exists due to improper neutralization of input during web page generation in api request handling when reflecting invalid JSON payloads in HTTP responses. A remote attacker can send a specially crafted request containing HTML or JavaScript code to execute arbitrary script in the victim's browser.
Remediation
Install update from vendor's website.