CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564	Patch
https://github.com/langgenius/dify/pull/29811	Issue Tracking Patch
https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:dify:dify:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:19

Type	Values Removed	Values Added
Summary		(es) Dify es una plataforma de desarrollo de aplicaciones LLM de código abierto. Antes de la 1.11.2, Dify es vulnerable a un problema de XSS almacenado al renderizar diagramas Mermaid dentro de los chats. Esto ocurre porque la configuración predeterminada de Mermaid de Dify utiliza securityLevel: loose, lo que permite la ejecución de contenido potencialmente inseguro. Esta vulnerabilidad está corregida en la 1.11.2.

05 Mar 2026, 21:24

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 5.4
First Time		Dify Dify dify
CPE		cpe:2.3:a:dify:dify::::::::
References	~~() https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564 -~~	() https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564 - Patch
References	~~() https://github.com/langgenius/dify/pull/29811 -~~	() https://github.com/langgenius/dify/pull/29811 - Issue Tracking, Patch
References	~~() https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4 -~~	() https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4 - Exploit, Vendor Advisory

03 Mar 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-03 22:16

Updated : 2026-06-17 10:19

NVD link : CVE-2026-21866

Mitre link : CVE-2026-21866

CVE.ORG link : CVE-2026-21866

JSON object : View

Products Affected

dify

dify

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.4 /10