CVE-2026-42138
Dify Vulnerable to Stored XSS via SVG-file upload
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1.
| CWE | CWE-79 |
| Vendor | langgenius |
| Product | dify |
| Published | May 4, 2026 |
| Last Updated | May 4, 2026 |
Stay Ahead of the Next One
Get instant alerts for langgenius dify
Be the first to know when new unknown vulnerabilities affecting langgenius dify are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
langgenius / dify
< 1.13.1