CVE-2026-21866

Medium CVSS: 5.1

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

Vendor

Dify

Product

Dify

CWE

CWE-79

Yayın Tarihi

2026-03-03 22:16:27

Güncelleme

2026-03-05 21:24:07

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Dify MEDIUM Dify 2026

Referanslar

https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564 https://github.com/langgenius/dify/pull/29811 https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4

Benzer Kayıtlar

Medium

CVE-2026-28288

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-exi…

Medium

CVE-2026-26023

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been foun…

High

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the…

Medium

CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_…

High

CVE-2025-0185

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in…

High

CVE-2024-11822

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due…