VYPR
Unrated severityNVD Advisory· Published Mar 3, 2026· Updated Mar 4, 2026

Dify - Stored XSS in chat

CVE-2026-21866

Description

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

Affected products

2
  • Langgenius/Difyllm-fuzzy2 versions
    <1.11.2+ 1 more
    • (no CPE)range: <1.11.2
    • (no CPE)range: < 1.11.2

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.