Medium severity6.1NVD Advisory· Published May 4, 2026· Updated May 11, 2026
CVE-2026-42138
CVE-2026-42138
Description
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This issue has been patched in version 1.13.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3(expand)+ 2 more
- (no CPE)
- cpe:2.3:a:langgenius:dify:*:*:*:*:*:node.js:*:*range: <1.13.1
- (no CPE)range: <context>range</context>
Patches
Vulnerability mechanics
References
2- github.com/langgenius/dify/security/advisories/GHSA-cg94-8v83-7hjjnvdExploitVendor Advisory
- github.com/langgenius/dify/releases/tag/1.13.1nvdRelease Notes
News mentions
0No linked articles in our index yet.