langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting_CVE-2026-6619

5.1 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Basic Information

ID CVE-2026-6619

Source VulDB

Published Apr 20, 2026 at 08:00

Affected Product

Vendor langgenius

Product dify

Version 1.13.0

Affected Versions langgenius dify 1.13.0
langgenius dify 1.13.1
langgenius dify 1.13.2
langgenius dify 1.13.3

CWE Classification

CWE-79 CWE-94

References

{
    "lastseen": "",
    "description": "A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
    "published": "2026-04-20T08:00:17.267Z",
    "modified": "2026-04-20T08:00:17.267Z",
    "type": "cve",
    "title": "langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting",
    "source": "VulDB",
    "references": "https://vuldb.com/vuln/358254\nhttps://vuldb.com/vuln/358254/cti\nhttps://vuldb.com/submit/792242\nhttps://gist.github.com/chenhouser2025/a8ac169dad5cf84811cf9c0505491ea8",
    "id": "CVE-2026-6619",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79",
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "langgenius dify 1.13.0\nlanggenius dify 1.13.1\nlanggenius dify 1.13.2\nlanggenius dify 1.13.3",
    "sourceHref": "",
    "cvss": {
        "score": 5.1,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "dify",
    "version": "1.13.0",
    "vendor": "langgenius",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}