SB2026042785 - Cross-site scripting in LibreChat



SB2026042785 - Cross-site scripting in LibreChat

Published: April 27, 2026

Security Bulletin ID SB2026042785
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Cross-site scripting (CVE-ID: CVE-2025-66452)

CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary script in the victim's browser.

The vulnerability exists due to improper neutralization of input during web page generation in api request handling when reflecting invalid JSON payloads in HTTP responses. A remote attacker can send a specially crafted request containing HTML or JavaScript code to execute arbitrary script in the victim's browser.


Remediation

Install update from vendor's website.