XSS in Langgenius Dify

CVE-2026-26023

Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (16.6th percentile) — read the EPSS interpretation.

Affected products

Langgenius Dify — versions < 1.13.0

Weakness classification (CWE)

CWE-79 — Cross-site Scripting

References

https://github.com/langgenius/dify/security/advisories/GHSA-qqjx-5h5w-x5vj (x_refsource_CONFIRM)
https://github.com/langgenius/dify/commit/378a1d7d08bd0ac5c75eaadc075a0f35211fcb8e (x_refsource_MISC)
https://github.com/langgenius/dify/releases/tag/1.13.0 (x_refsource_MISC)