Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.1
Dify's Chat Diagrams Can Let Hackers Run Malicious Code
CVE-2026-21866
Summary
Dify's chat feature, which displays diagrams, can be exploited by hackers to run malicious code. This can happen when users create and share diagrams. To fix this, update to Dify 1.11.2 or higher.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| dify | dify | <= 1.11.2 | – |
Original title
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Merma...
Original description
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.
nvd CVSS3.1
5.4
nvd CVSS4.0
5.1
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://github.com/langgenius/dify/commit/ae17537470bba417a8971fff705dd82ecb0435... Patch
- https://github.com/langgenius/dify/pull/29811 Issue Tracking Patch
- https://github.com/langgenius/dify/security/advisories/GHSA-qpv6-75c2-75h4 Exploit Vendor Advisory
Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026