CVE-2026-6619
published 2026-04-20CVE-2026-6619: A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file…
PriorityP421low3.5CVSS 3.1
AVNACLPRLUIRSUCNILAN
EPSS
0.21%
10.7th percentile
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| langgenius | dify | — | — |
| langgenius | dify | — | — |
| langgenius | dify | — | — |
| langgenius | dify | — | — |
CVSS provenance
nvdv3.13.5LOWCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
nvdv4.02.0LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jp7c-75vm-9jwh: A vulnerability has been found in langgenius dify up to 1
ghsa_unreviewed·2026-04-20
CVE-2026-6619 [MEDIUM] CWE-79 GHSA-jp7c-75vm-9jwh: A vulnerability has been found in langgenius dify up to 1
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulDB
langgenius dify up to 1.13.3 ImagePreview image-preview.tsx openInNewTab filename cross site scripting
vuldb·2026-04-19
CVE-2026-6619 [LOW] langgenius dify up to 1.13.3 ImagePreview image-preview.tsx openInNewTab filename cross site scripting
A vulnerability was found in langgenius dify up to 1.13.3. It has been rated as problematic. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting.
This vulnerability is listed as CVE-2026-6619. The attack may be initiated remotely. In addition, an exploit is available.
The vendor was contacted early about this disclosure but did not respond in any way.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published