joel

2 exploits Active since Jul 2025
CVE-2026-21866 WRITEUP MEDIUM WRITEUP
Dify < 1.11.2 - Stored Cross-Site Scripting via Mermaid Diagram Rendering
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.
CVSS 5.4
CVE-2025-3467 WRITEUP MEDIUM WRITEUP
langgenius/dify < 1.1.3 - Stored Cross-Site Scripting via Published Chat Payload
An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.
CVSS 5.4