CVE-2026-6619 - Vulnerability Details

- langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting

Description

A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Published: 2026-04-20

Score: 5.1 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

This vulnerability resides in the openInNewTab function of ImagePreview within the Dify image‑uploader component. By manipulating the filename argument, an attacker can inject malicious script that is executed in the context of the page, enabling arbitrary script execution on the victim’s browser. The flaw is a classic reflected XSS issue, classified as CWE‑79, and permits remote exploitation. The attack originates from external input supplied to the image preview feature and can be triggered without any user interaction beyond loading the crafted asset.

Affected Systems

langgenius Dify versions up to 1.13.3 are affected. The vulnerability is confined to the web application’s image‑uploader module and does not influence database or backend services beyond the client‑side rendering.

Risk and Exploitability

The CVSS score of 5.1 denotes a medium risk category. EPSS data is not currently available, and the flaw is not listed in CISA’s KEV catalog. The exploit can be launched remotely by sending a manipulated filename to the openInNewTab handler, and once executed, the injected script runs with the permissions of the logged‑in user. Because the flaw relies on user‑visible rendering of image links, it does not require elevated privileges or network access beyond the standard application traffic.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

langgenius

dify

affected

Version	Status	Constraints
`1.13.0`	affected	—
`1.13.1`	affected	—
`1.13.2`	affected	—
`1.13.3`	affected	—

No data.

Vendor Product Confidence Versions

Langgenius

Dify

95%

Version	Status	Scheme	Platform
`1.13.0`	affected	semver	—
`1.13.1`	affected	semver	—
`1.13.2`	affected	semver	—
`1.13.3`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update Dify to the latest release that includes the image‑uploader fix.
Ensure that the filename parameter is strictly validated and any HTML or script tags are stripped before rendering.
Apply a strong Content Security Policy that disallows inline scripts from untrusted sources.

Generated by OpenCVE AI on April 20, 2026 at 09:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://gist.github.com/chenhouser2025/a8ac169dad5cf84811cf9c0505491ea8
https://vuldb.com/submit/792242
https://vuldb.com/vuln/358254
https://vuldb.com/vuln/358254/cti

History

Mon, 20 Apr 2026 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 20 Apr 2026 08:45:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title		langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting
First Time appeared		Langgenius Langgenius dify
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:langgenius:dify::::::::
Vendors & Products		Langgenius Langgenius dify
References		https://gist.github.com/chenhouser2025/a8ac169dad5cf84811cf9c0505491ea8 https://vuldb.com/submit/792242 https://vuldb.com/vuln/358254 https://vuldb.com/vuln/358254/cti
Metrics		cvssV2_0 `{'score': 4, 'vector': 'AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.5, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Langgenius Dify

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-20T08:00:17.267Z

Updated: 2026-04-20T13:29:29.634Z

Reserved: 2026-04-19T16:18:42.738Z

Link: CVE-2026-6619

Vulnrichment

Updated: 2026-04-20T13:29:26.841Z

NVD

Status : Received

Published: 2026-04-20T09:16:09.800

Modified: 2026-04-20T09:16:09.800

Link: CVE-2026-6619

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T09:30:03Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object