CVE-2026-21866

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.11.2

Description Dify, an open-source LLM app development platform, contains a stored cross-site scripting (XSS) issue when rendering Mermaid diagrams within chats. The issue stems from Dify’s default Mermaid configuration utilizing a securityLevel of loose, which permits the execution of potentially unsafe content.

Recommendations Update to version 1.11.2 or later.