VYPR
Medium severity6.1NVD Advisory· Published May 4, 2026· Updated May 11, 2026

CVE-2026-42138

CVE-2026-42138

Description

Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

3
  • Langgenius/Difyreferences3 versions
    (expand)+ 2 more
    • (no CPE)
    • cpe:2.3:a:langgenius:dify:*:*:*:*:*:node.js:*:*range: <1.13.1
    • (no CPE)range: <context>range</context>

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.