CVE-2026-28509

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2026-28509

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28509.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2026-28509

Aliases

GHSA-w8gq-g4pc-xh3h

Published

2026-03-06T04:16:58.761Z

Modified

2026-04-10T05:41:20.837672Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:N CVSS Calculator

Summary

LangBot has a Cross Site Scripting(XSS) Vulnerability

Details

LangBot is a global IM bot platform designed for LLMs. Prior to version 4.8.7, LangBot’s web UI renders user-supplied raw HTML using rehypeRaw, which can lead to a cross-site scripting (XSS) vulnerability. This issue has been patched in version 4.8.7.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28509.json",
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/langbot-app/langbot

Affected ranges

Type: GIT
Repo: https://github.com/langbot-app/langbot
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

b34ebf85a6445060bbe6770713717624cdd6c03d

Affected versions

Other

noReleaseProvided

v.*

v.4.4.2b1

v0.*

v0.1.0

v1.*

v1.0.0

v1.1.0

v1.2.0

v2.*

v2.0.0

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.3.0

v2.3.1

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.7

v2.3.8

v2.3.9

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.3.1

v2.4.5

v2.4.6

v2.4.7

v2.5.0

v2.5.1

v2.5.2

v2.6.0

v2.6.1

v2.6.10

v2.6.2

v2.6.3

v2.6.4

v2.6.5

v2.6.6

v2.6.7

v2.6.8

v2.6.9

v3.*

v3.0.0

v3.0.1

v3.0.1.3

v3.0.2

v3.1.0

v3.1.0.1

v3.1.0.2

v3.1.0.3

v3.1.0.4

v3.1.1

v3.2.0

v3.2.0.1

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.3.0

v3.3.0.1

v3.3.0.2

v3.3.1.0

v3.3.1.1

v3.4.0

v3.4.0.1

v3.4.0.2

v3.4.1

v3.4.1.1

v3.4.1.2

v3.4.1.3

v3.4.1.4

v3.4.1.5

v3.4.1.6-pre

v3.4.10

v3.4.10.1

v3.4.10.2

v3.4.10.3

v3.4.10.4

v3.4.11

v3.4.11.1

v3.4.11.2

v3.4.12

v3.4.12.1

v3.4.13

v3.4.13.1

v3.4.14

v3.4.14.1

v3.4.14.2

v3.4.14.3

v3.4.2

v3.4.2.1

v3.4.3

v3.4.3.1

v3.4.3.2

v3.4.4

v3.4.4.1

v3.4.5

v3.4.5.1

v3.4.5.2

v3.4.6

v3.4.6.1

v3.4.6.2

v3.4.7

v3.4.7.1

v3.4.7.2

v3.4.8

v3.4.9

v3.4.9.1

v3.4.9.2

v3.4.9.3

v3.4.9.4

v3.4.9.5

v4.*

v4.0.0

v4.0.0-beta.1

v4.0.0-beta.2

v4.0.1

v4.0.2

v4.0.3

v4.0.3.1

v4.0.3.2

v4.0.3.3

v4.0.4

v4.0.5

v4.0.6

v4.0.7

v4.0.8

v4.0.8.1

v4.0.9

v4.1.0

v4.1.1

v4.1.2

v4.2.0

v4.2.1

v4.2.2

v4.3.0

v4.3.0.beta2

v4.3.1

v4.3.2

v4.3.3

v4.3.4

v4.3.5

v4.3.6

v4.3.7

v4.3.7b1

v4.3.8

v4.3.9

v4.4.0

v4.4.1

v4.4.2b1

v4.5.0

v4.5.1b1

v4.5.1b2

v4.5.1b3

v4.5.3

v4.5.4

v4.6.0

v4.6.1

v4.6.2

v4.6.3

v4.6.4

v4.6.5

v4.7.0

v4.7.1

v4.7.2

v4.8.0

v4.8.1

v4.8.2

v4.8.3

v4.8.4

v4.8.5

v4.8.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28509.json"