crazywoola

1 exploit Active since Mar 2026
CVE-2026-21866 WRITEUP MEDIUM WRITEUP
Dify < 1.11.2 - Stored Cross-Site Scripting via Mermaid Diagram Rendering
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.
CVSS 5.4