CVE-2026-21866

UNKNOWN 0.0

Dify - Stored XSS in chat

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

CWE	CWE-79
Vendor	langgenius
Product	dify
Published	Mar 3, 2026
Last Updated	Mar 4, 2026

Stay Ahead of the Next One

Get instant alerts for langgenius dify

Be the first to know when new unknown vulnerabilities affecting langgenius dify are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

langgenius / dify

< 1.11.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4 github.com: https://github.com/langgenius/dify/pull/29811 github.com: https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564