Description
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdownHtml function (in client/src/utils/markdown.ts) installs a custom image renderer that returns false for URLs passing the isSafeUrl allowlist check, which causes marked to fall back to its built-in renderer. That built-in renderer inserts the raw alt text into the alt="..." attribute without escaping double-quote characters. An attacker can craft an alt text such as " onload="payload to break out of the attribute and inject an arbitrary event handler. The resulting HTML is then assigned to document.getElementById('content').innerHTML inside the Sandpack preview iframe, causing the payload to execute in the victim's browser. This vulnerability is fixed in 0.8.4-rc1.
Published: 2026-06-25
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LibreChat, an enhanced ChatGPT clone, has a stored cross‑site scripting vulnerability in its markdown artifact preview pipeline that arises when the marked library v15.0.12 does not escape double‑quote characters in image alt text, allowing an attacker to craft alt text that injects an arbitrary event handler. When the alt text is rendered in the Sandpack preview iframe, the injected script executes in the victim’s browser. The affected product is LibreChat distributed by danny‑avila. Versions prior to 0.8.4‑rc1 are impacted, with the issue fixed in 0.8.4‑rc1 and later releases. The CVSS score of 5.4 indicates moderate severity, and EPSS data is unavailable. Since the flaw requires a user to view a crafted artifact preview, exploitation is likely a local or social‑engineering scenario rather than a remote attack from an untrusted network. Once the preview is rendered, the injected script runs with the privileges of the logged‑in user, potentially allowing session hijacking or data theft. Overall risk is moderate, but impact can be high if the script runs in privileged contexts.

Affected Systems

The affected product is LibreChat distributed by danny‑avila. Versions prior to 0.8.4‑rc1 are impacted; the issue is fixed in 0.8.4‑rc1 and later releases.

Risk and Exploitability

The reported CVSS score is 5.4, indicating a moderate severity. EPSS data is unavailable, and the vulnerability is not listed in CISA’s KEV catalog. An attacker can exploit the flaw by submitting a crafted markdown artifact that includes malicious alt text; the attack requires a user to view the artifact preview, which is typically a local or social‑engineering scenario rather than a remote exploitation from an untrusted network source. Once the preview is rendered, the injected script executes with the privileges of the logged‑in user, potentially allowing session hijacking or data theft. Given the moderate CVSS score and the lack of automatic exploitation metrics, the overall risk is moderate but the impact can be high if the script runs in privileged contexts.

Generated by OpenCVE AI on June 25, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LibreChat to version 0.8.4‑rc1 or later to eliminate the unescaped alt text rendering defect
  • Disable or remove the Markdown artifact preview feature until a patched version is available, to prevent any injection while the vulnerability is unresolved
  • Implement a content security policy that restricts the execution of inline event handlers and disallows unsafe scripts, adding a secondary barrier against potential XSS payloads

Generated by OpenCVE AI on June 25, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 25 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Danny-avila
Danny-avila libre Chat
Vendors & Products Danny-avila
Danny-avila libre Chat

Thu, 25 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 25 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdownHtml function (in client/src/utils/markdown.ts) installs a custom image renderer that returns false for URLs passing the isSafeUrl allowlist check, which causes marked to fall back to its built-in renderer. That built-in renderer inserts the raw alt text into the alt="..." attribute without escaping double-quote characters. An attacker can craft an alt text such as " onload="payload to break out of the attribute and inject an arbitrary event handler. The resulting HTML is then assigned to document.getElementById('content').innerHTML inside the Sandpack preview iframe, causing the payload to execute in the victim's browser. This vulnerability is fixed in 0.8.4-rc1.
Title LibreChat: Stored XSS via unescaped image alt text in markdown artifact preview
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}


Subscriptions

Danny-avila Libre Chat
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T18:02:29.089Z

Reserved: 2026-06-11T16:57:50.018Z

Link: CVE-2026-54025

cve-icon Vulnrichment

Updated: 2026-06-25T18:02:25.103Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-25T21:15:05Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')