CVE-2026-28509

{"id": "CVE-2026-28509", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 2.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-03-06T05:16:35.590", "references": [{"url": "https://github.com/langbot-app/LangBot/commit/614621ab7b84fe50da3c6137705cde5a99429866", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/langbot-app/LangBot/security/advisories/GHSA-w8gq-g4pc-xh3h", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot\u2019s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerability. This issue has been patched in version 4.8.7."}, {"lang": "es", "value": "LangBot es una plataforma global de bots de mensajer\u00eda instant\u00e1nea (IM) dise\u00f1ada para LLMs. Antes de la versi\u00f3n 4.8.7, la interfaz de usuario web de LangBot renderiza HTML sin procesar suministrado por el usuario utilizando rehypeRaw, lo que puede llevar a una vulnerabilidad de cross-site scripting (XSS). Este problema ha sido parcheado en la versi\u00f3n 4.8.7."}], "lastModified": "2026-03-16T13:35:12.607", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:langbot:langbot:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DB4F4942-F13E-40BD-8610-7E1244817691", "versionEndExcluding": "4.8.7"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}