Unrated severityNVD Advisory· Published Mar 3, 2026· Updated Mar 4, 2026

Dify - Stored XSS in chat

CVE-2026-21866

Description

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

Affected products

Langgenius/Difyv5
Range: < 1.11.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564mitrex_refsource_MISC
github.com/langgenius/dify/pull/29811mitrex_refsource_MISC
github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4mitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000