XSS in Langgenius Dify

CVE-2026-21866

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.000 (2.0th percentile) — read the EPSS interpretation.

Affected products

Langgenius Dify — versions < 1.11.2

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4 (x_refsource_CONFIRM)
https://github.com/langgenius/dify/pull/29811 (x_refsource_MISC)
https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb043564 (x_refsource_MISC)