CVE-2026-26023

Medium CVSS: 5.3

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed. This vulnerability is fixed in 1.13.0.

Vendor

Dify

Product

Dify

CWE

CWE-79

Yayın Tarihi

2026-02-11 22:15:52

Güncelleme

2026-02-13 15:04:10

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Dify MEDIUM Dify 2026

Referanslar

https://github.com/langgenius/dify/commit/378a1d7d08bd0ac5c75eaadc075a0f35211fcb8e https://github.com/langgenius/dify/releases/tag/1.13.0 https://github.com/langgenius/dify/security/advisories/GHSA-qqjx-5h5w-x5vj

Benzer Kayıtlar

Medium

CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rend…

Medium

CVE-2026-28288

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-exi…

High

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the…

Medium

CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_…

High

CVE-2025-0185

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in…

High

CVE-2024-11822

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due…