XSS Vulnerability in Dify Open-Source LLM App Development Platform
CVE-2026-42138

6.9MEDIUM

Key Information:

Vendor: Langgenius
Status: Dify
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42138?

The Dify platform, a popular open-source LLM application development tool, is susceptible to a Cross-Site Scripting (XSS) vulnerability found in the file upload functionality. Any unauthenticated user has the ability to upload malicious SVG files via the POST /api/files/upload endpoint. Additionally, another endpoint, POST /v1/files/upload, which does require authentication, also displays the same vulnerability. This poses significant security risks as it could lead to unauthorized access and data compromise. The issue has been mitigated in the latest version, 1.13.1, where appropriate patches have been applied to enhance the platform's security.

Affected Version(s)

dify < 1.13.1

References

https://github.com/langgenius/dify/security/advisories/GH...

x_refsource_CONFIRM

https://github.com/langgenius/dify/releases/tag/1.13.1

x_refsource_MISC

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 24, 2026

CVE-2026-42138 Data

JSON

Langgenius

What is CVE-2026-42138?

Affected Version(s)

References

CVSS V4

Timeline