CVE-2026-6619
Cross-Site Scripting in Langgenius Dify ImagePreview Component
Publication date: 2026-04-20
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| langgenius | dify | to 1.13.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows execution of arbitrary JavaScript in the victim's browser context through a DOM-based Cross-Site Scripting (XSS) attack. This can lead to session hijacking, account takeover, data theft, phishing, and malware distribution.
Such impacts can compromise the confidentiality and integrity of sensitive user data, which may violate data protection regulations like GDPR and HIPAA that require safeguarding personal and health information against unauthorized access and breaches.
Therefore, the presence of this vulnerability could lead to non-compliance with these standards due to potential unauthorized data exposure and exploitation of user sessions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if the vulnerable Dify web frontend is in use and if it allows uploading files with malicious filenames that trigger the XSS when "Open in New Tab" is clicked.
A practical detection method is to test the application by uploading a file with a crafted filename containing an XSS payload and then triggering the openInNewTab function to see if arbitrary JavaScript executes.
For example, in a browser console on the affected web application, you can simulate the vulnerability with the following JavaScript snippet:
- const maliciousTitle = '"><script>alert("XSS from Dify!")</script><img alt="';
- const imageUrl = 'data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8/5+hHgAHggJ/PchI7wAAAABJRU5ErkJggg==';
- const win = window.open();
- win.document.write(`<img src="${imageUrl}" alt="${maliciousTitle}" />`);
If this opens a new window and triggers an alert, it confirms the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the execution of unsanitized user input in the vulnerable function openInNewTab.
Recommended fixes are:
- Avoid using document.write() to insert HTML with user-controlled data. Instead, use safe DOM APIs to create and append elements, which automatically handle encoding.
- If document.write() must be used, apply proper HTML entity encoding to the filename (title) before insertion to neutralize malicious characters.
Example safe code using DOM APIs:
- const openInNewTab = () => {
- if (url.startsWith('data:image')) {
- const win = window.open();
- if (win) {
- const img = win.document.createElement('img');
- img.src = url;
- img.alt = title; // Safe because DOM property assignment handles encoding
- win.document.body.appendChild(img);
- }
- }
- }
Alternatively, apply an HTML escape function to the title before using document.write():
- const escapeHtml = (str) => {
- return str.replace(/&/g, '&').replace(/</g, '<').replace(/>/g, '>').replace(/"/g, '"').replace(/'/g, ''');
- }
- win?.document.write(`<img src="${url}" alt="${escapeHtml(title)}" />`);
Can you explain this vulnerability to me?
This vulnerability exists in the langgenius dify software up to version 1.13.3, specifically in the openInNewTab function within the ImagePreview component. It involves improper handling of the filename argument, which can be manipulated to perform a cross-site scripting (XSS) attack. This means an attacker can inject malicious scripts that execute in the context of the affected application.
The attack can be initiated remotely, and the exploit has already been publicly disclosed. The vendor was informed early but did not respond.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts in the context of the affected application, potentially leading to unauthorized actions or data manipulation. Since it is a cross-site scripting vulnerability, it may be used to hijack user sessions, deface websites, or redirect users to malicious sites.
The CVSS scores indicate a low to moderate severity, with an impact primarily on integrity but not confidentiality or availability.