feature/AIA-2203- Add Prompt Catalog Insert to LibreChat by gmarcelino-paychex · Pull Request #144 · paychex/LibreChat

gmarcelino-paychex · 2026-04-27T15:55:30Z

Implements server-side Prompt Catalog deep-link integration, enabling AI Hub to open LibreChat with a Prompt Catalog ID that resolves to prompt text without exposing full prompts in URLs.

What Changed

Backend: Added /api/prompthub/resolve-insert route that fetches prompt content from Prompt Catalog API with authenticated user identity headers
API Layer: Created @librechat/api handlers for server-side prompt resolution with timeout and error handling
Client: Enhanced query param handling to resolve promptCatalogId, inject content into composer, and display user-facing error toasts on failure
Config: Added PROMPT_CATALOG_API_URL environment variable

Version 2.3.33 was removed by Checkmarx (all prior tags deleted) following a security fix. 2.3.36 is the only available and currently supported tag. Made-with: Cursor

github-actions · 2026-04-27T20:33:30Z

Checkmarx One – Scan Summary & Details – 850b9626-a63a-480d-910a-06b4d56fc20b

New Issues (512)

Checkmarx found the following issues in this Pull Request

#	Issue	Source File / Package	Checkmarx Insight
1	CVE-2026-33937	Npm-handlebars-4.7.8	details Recommended version: 4.7.9 Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, `Handlebars.compile()` accepts a pr... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
2	CVE-2026-33943	Npm-happy-dom-20.8.3	details Recommended version: 20.8.9 Description: A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaS... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
3	CVE-2026-41242	Npm-protobufjs-7.4.0	details Recommended version: 7.5.5 Description: protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code. This affects v... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
4	CVE-2026-41242	Npm-protobufjs-8.0.0	details Recommended version: 8.0.1 Description: protobufjs compiles protobuf definitions into JS functions. Attackers can manipulate these definitions to execute arbitrary JS code. This affects v... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
5	CVE-2026-4800	Npm-lodash-4.17.23	details Recommended version: 4.18.0 Description: The fix for CVE-2021-23337 added validation for the variable option in _.template but did not apply the same validation to "options.imports" key na... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
6	CVE-2023-30533	Npm-xlsx-0.18.5	details Description: In SheetJS(xlsx) Community Edition versions prior to 0.19.3 allows Prototype Pollution via a crafted file. Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
7	CVE-2024-22363	Npm-xlsx-0.18.5	details Description: SheetJS Community Edition versions prior to 0.20.2 is vulnerable to Regular Expression Denial of Service (ReDoS). Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
8	CVE-2026-27795	Npm-@langchain/core-0.3.80	details Recommended version: 1.1.21 Description: LangChain is a framework for building LLM-powered applications. Prior to version 1.1.18, a redirect-based Server-Side Request Forgery (SSRF) bypass... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
9	CVE-2026-33671	Npm-picomatch-4.0.3	details Recommended version: 4.0.4 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
10	CVE-2026-33671	Npm-picomatch-2.3.1	details Recommended version: 2.3.2 Description: `picomatch` is vulnerable prior to 2.3.2, 3.x prior to 3.0.2 and 4.x prior to 4.0.4, to Regular Expression Denial of Service (ReDoS) when processi... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
11	CVE-2026-33938	Npm-handlebars-4.7.8	details Recommended version: 4.7.9 Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the `@partial-block` special variab... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
12	CVE-2026-33939	Npm-handlebars-4.7.8	details Recommended version: 4.7.9 Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, when a Handlebars template contains... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
13	CVE-2026-33940	Npm-handlebars-4.7.8	details Recommended version: 4.7.9 Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, a crafted object placed in the temp... Attack Vector: NETWORK Attack Complexity: HIGH Vulnerable Package
14	CVE-2026-33941	Npm-handlebars-4.7.8	details Recommended version: 4.7.9 Description: Handlebars provides the power necessary to let users build semantic templates. In versions 4.0.0 through 4.7.8, the Handlebars CLI precompiler (`bi... Attack Vector: LOCAL Attack Complexity: LOW Vulnerable Package
15	CVE-2026-34043	Npm-serialize-javascript-7.0.4	details Recommended version: 7.0.5 Description: Serialize JavaScript to a superset of JSON that includes regular expressions and functions. Prior to version 7.0.5, there is a Denial-of-Service (D... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
16	CVE-2026-34226	Npm-happy-dom-20.8.3	details Recommended version: 20.8.9 Description: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from th... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
17	CVE-2026-34601	Npm-@xmldom/xmldom-0.8.10	details Recommended version: 0.8.12 Description: xmldom is a pure JavaScript W3C standard-based (XML DOM Level 2 Core) `DOMParser` and `XMLSerializer` module. In xmldom versions through 0.6.0 and ... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
18	CVE-2026-39363	Npm-vite-7.3.1	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. From 6.0.0 prior to 6.4.2, 7.0.0 prior to 7.3.2, and 8.0.0 prior to 8.0.5, if it is possible t... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
19	CVE-2026-39364	Npm-vite-7.3.1	details Recommended version: 7.3.2 Description: Vite is a frontend tooling framework for JavaScript. From 7.1.0 to before 7.3.2 and 8.0.0 prior to 8.0.5, on the Vite dev server, files that should... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
20	CVE-2026-40897	Npm-mathjs-15.1.0	details Recommended version: 15.2.0 Description: This security vulnerability allowed executing arbitrary JavaScript via the expression parser of mathjs. You can be affected when you have an applic... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
21	CVE-2026-41139	Npm-mathjs-15.1.0	details Recommended version: 15.2.0 Description: Two security vulnerabilities were detected in mathjs versions 13.1.0 prior to 15.2.0, which allowed execution of arbitrary JavaScript via the mathj... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
22	CVE-2026-4926	Npm-path-to-regexp-8.2.0	details Recommended version: 8.4.0 Description: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The genera... Attack Vector: NETWORK Attack Complexity: LOW Vulnerable Package
23	Reflected_XSS	api/server/routes/agents/index.js: 55	details The method Cxc3c278a1 embeds untrusted data in generated output with write, at line 81 of /api/server/routes/agents/index.js. This untrusted data... Attack Vector
24	Reflected_XSS	packages/api/src/mcp/__tests__/helpers/oauthTestServer.ts: 115	details The method Lambda embeds untrusted data in generated output with end, at line 144 of /packages/api/src/mcp/__tests__/helpers/oauthTestServer.t... Attack Vector
25	Reflected_XSS	api/server/controllers/AuthController.js: 68	details The method Cx1cd82e68 embeds untrusted data in generated output with send, at line 162 of /api/server/controllers/AuthController.js. This untrust... Attack Vector
26	Reflected_XSS	api/server/controllers/AuthController.js: 68	details The method Cx1cd82e68 embeds untrusted data in generated output with send, at line 147 of /api/server/controllers/AuthController.js. This untrust... Attack Vector
27	Reflected_XSS	api/server/routes/agents/index.js: 55	details The method Lambda embeds untrusted data in generated output with write, at line 111 of /api/server/routes/agents/index.js. This untrusted data is... Attack Vector
28	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 732	details The method Lambda embeds untrusted data in generated output with location, at line 739 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
29	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 684	details The method Lambda embeds untrusted data in generated output with location, at line 691 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
30	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 797	details The method Lambda embeds untrusted data in generated output with location, at line 804 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
31	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 844	details The method Lambda embeds untrusted data in generated output with location, at line 851 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
32	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 1628	details The method Lambda embeds untrusted data in generated output with location, at line 1633 of /api/server/routes/__tests__/mcp.spec.js. This un... Attack Vector
33	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 1682	details The method Lambda embeds untrusted data in generated output with location, at line 1686 of /api/server/routes/__tests__/mcp.spec.js. This un... Attack Vector
34	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 458	details The method Lambda embeds untrusted data in generated output with location, at line 462 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
35	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 545	details The method Lambda embeds untrusted data in generated output with location, at line 552 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
36	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 590	details The method Lambda embeds untrusted data in generated output with location, at line 597 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
37	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 632	details The method Lambda embeds untrusted data in generated output with location, at line 639 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
38	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 481	details The method Lambda embeds untrusted data in generated output with location, at line 485 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
39	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 435	details The method Lambda embeds untrusted data in generated output with location, at line 439 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
40	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 366	details The method Lambda embeds untrusted data in generated output with location, at line 373 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
41	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 309	details The method Lambda embeds untrusted data in generated output with location, at line 315 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector
42	Reflected_XSS	api/server/routes/__tests__/mcp.spec.js: 319	details The method Lambda embeds untrusted data in generated output with location, at line 325 of /api/server/routes/__tests__/mcp.spec.js. This unt... Attack Vector

More results are available on the CxOne platform

Fixed Issues (120)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	~~CVE-2025-68665~~	Npm-@langchain/core-0.3.79
	~~CVE-2026-25547~~	Npm-@isaacs/brace-expansion-5.0.0
	~~CVE-2025-66414~~	Npm-@modelcontextprotocol/sdk-1.21.0
	~~CVE-2026-0621~~	Npm-@modelcontextprotocol/sdk-1.21.0
	~~CVE-2026-22036~~	Npm-undici-7.16.0
	~~CVE-2026-25128~~	Npm-fast-xml-parser-4.4.1
	~~CVE-2026-25128~~	Npm-fast-xml-parser-5.0.9
	~~CVE-2026-25128~~	Npm-fast-xml-parser-5.2.5
	~~CVE-2026-25536~~	Npm-@modelcontextprotocol/sdk-1.21.0
	~~CVE-2026-25639~~	Npm-axios-1.12.1
	~~Reflected_XSS~~	api/server/controllers/AuthController.js: 63
	~~Reflected_XSS~~	api/server/controllers/AuthController.js: 63
	~~Reflected_XSS~~	api/server/controllers/UserController.js: 115
	~~Reflected_XSS~~	api/server/controllers/auth/LogoutController.js: 8
	~~Reflected_XSS~~	api/server/controllers/AuthController.js: 63
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 594
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 1365
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 1413
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 454
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 495
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 553
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 338
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 270
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 261
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 374
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 409
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 281
	~~Reflected_XSS~~	api/server/routes/__tests__/mcp.spec.js: 251
	~~CVE-2025-13465~~	Npm-lodash-4.17.21
	~~CVE-2025-13466~~	Npm-body-parser-2.2.0
	~~CVE-2025-15284~~	Npm-qs-6.14.0
	~~CVE-2025-15284~~	Npm-qs-6.13.0
	~~CVE-2025-68470~~	Npm-@remix-run/router-1.15.0
	~~CVE-2025-68470~~	Npm-react-router-6.22.0
	~~CVE-2026-22029~~	Npm-@remix-run/router-1.15.0
	~~CVE-2026-2391~~	Npm-qs-6.13.0
	~~CVE-2026-2391~~	Npm-qs-6.14.0
	~~CVE-2026-25528~~	Npm-langsmith-0.3.67
	~~Open_Redirect~~	api/server/routes/mcp.js: 39
	~~Open_Redirect~~	api/server/routes/mcp.js: 38
	~~Open_Redirect~~	api/server/routes/mcp.js: 91
	~~Open_Redirect~~	api/server/routes/mcp.js: 90
	~~Privacy_Violation~~	api/server/controllers/AuthController.js: 169
	~~Unchecked_Input_for_Loop_Condition~~	api/app/clients/BaseClient.js: 173
	~~Unchecked_Input_for_Loop_Condition~~	api/app/clients/BaseClient.js: 173
	~~Unchecked_Input_for_Loop_Condition~~	api/app/clients/BaseClient.js: 173
	~~Use_Of_Hardcoded_Password~~	packages/api/src/mcp/__tests__/mcp.spec.ts: 505
	~~Use_Of_Hardcoded_Password~~	packages/api/src/mcp/__tests__/mcp.spec.ts: 497
	~~Use_Of_Hardcoded_Password~~	packages/api/src/mcp/__tests__/mcp.spec.ts: 490
	~~CVE-2025-68157~~	Npm-webpack-5.94.0
	~~CVE-2025-68458~~	Npm-webpack-5.94.0
	~~CVE-2026-24001~~	Npm-diff-4.0.2
	~~CVE-2026-24001~~	Npm-diff-7.0.0
	~~Missing_CSP_Header~~	api/server/controllers/agents/v1.js: 152
	~~PCI_Data_Exposure_in_Error_Messages~~	api/models/Transaction.js: 51
	~~PCI_Data_Exposure_in_Logs~~	api/models/Transaction.js: 38
	~~PCI_Data_Exposure_in_Logs~~	api/models/Transaction.js: 51
	~~PCI_Data_Exposure_in_Logs~~	api/models/Transaction.js: 38
	~~PCI_Data_Exposure_in_Logs~~	api/models/Transaction.js: 51
	~~Privacy_Violation_in_JWT~~	api/server/services/AuthService.js: 462
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 214
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 208
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 214
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 208
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 214
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 207
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 208
	~~Secret_Leak_in_Error_Messages~~	packages/api/src/cache/cacheConfig.ts: 23
	~~Secret_Leak_in_Error_Messages~~	api/app/clients/BaseClient.js: 214
	~~Secret_Leak_in_Error_Messages~~	packages/api/src/mcp/registry/MCPServersRegistry.ts: 51
	~~Secret_Leak_in_Error_Messages~~	packages/api/src/mcp/UserConnectionManager.ts: 60
	~~Secret_Leak_in_Error_Messages~~	packages/api/src/mcp/UserConnectionManager.ts: 103
	~~Secret_Leak_in_URL~~	api/server/routes/mcp.js: 69
	~~Secret_Leak_in_URL~~	api/server/routes/mcp.js: 566
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 90
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 91
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 97
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 97
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 98
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 90
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 85
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 84
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 66
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 67
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 84
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 79
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 78
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 78
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 73
	~~Use_of_Deprecated_or_Obsolete_Functions~~	packages/api/src/auth/domain.spec.ts: 72

More results are available on the CxOne platform

Remove the leading slash from the URL path template so that any path prefix in PROMPT_CATALOG_API_URL is preserved rather than silently discarded by the URL origin-relative resolution rules. Made-with: Cursor

gmarcelino-paychex added 2 commits April 24, 2026 16:37

feat: integrate Prompt Catalog API and add prompthub route

b5bb9c7

feat: updated documentation for prompt catalog integration

efb7da5

gmarcelino-paychex requested review from paychex-inder, paychex-joser and paychex-tmarkovi April 27, 2026 15:55

fix: bump checkmarx/ast-github-action to 2.3.36

3510eb7

Version 2.3.33 was removed by Checkmarx (all prior tags deleted) following a security fix. 2.3.36 is the only available and currently supported tag. Made-with: Cursor

fix: correct URL path construction in buildPromptCatalogPromptUrl

8f67ec1

Remove the leading slash from the URL path template so that any path prefix in PROMPT_CATALOG_API_URL is preserved rather than silently discarded by the URL origin-relative resolution rules. Made-with: Cursor

paychex-joser approved these changes Apr 28, 2026

View reviewed changes

paychex-joser merged commit e1a50fc into develop Apr 28, 2026
1 of 3 checks passed

paychex-joser deleted the feature/prompt-catalog-integration branch April 28, 2026 14:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feature/AIA-2203- Add Prompt Catalog Insert to LibreChat#144

feature/AIA-2203- Add Prompt Catalog Insert to LibreChat#144
paychex-joser merged 4 commits intodevelopfrom
feature/prompt-catalog-integration

gmarcelino-paychex commented Apr 27, 2026

Uh oh!

github-actions Bot commented Apr 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

gmarcelino-paychex commented Apr 27, 2026

Uh oh!

github-actions Bot commented Apr 27, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants