CVE-2026-21866 is a stored cross-site scripting (XSS) vulnerability identified in the langgenius Dify platform, an open-source tool for developing large language model (LLM) applications. The vulnerability exists in versions prior to 1.11.2 and is specifically related to the rendering of Mermaid diagrams within chat interfaces. Mermaid is a popular diagramming and charting tool that allows users to create visualizations from text definitions. Dify’s default Mermaid configuration uses securityLevel: loose, which does not sufficiently sanitize or neutralize potentially malicious input embedded in Mermaid diagrams. This improper neutralization of input (classified under CWE-79) allows attackers to inject malicious JavaScript code that is stored and later executed in the browsers of users viewing the affected chat content. The vulnerability does not require authentication to exploit but does require user interaction to trigger the malicious script execution. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required, and user interaction needed, with limited scope and impact confined to confidentiality, integrity, and availability at a low level. The vulnerability was reserved in early January 2026 and published in March 2026, with no known exploits reported in the wild. The fix implemented in version 1.11.2 involves changing the Mermaid configuration to a more restrictive security level that prevents unsafe content execution, thereby mitigating the risk of stored XSS attacks within chat diagrams.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript code in the browsers of users interacting with maliciously crafted Mermaid diagrams in Dify chat sessions. This can lead to session hijacking, theft of sensitive information such as authentication tokens or personal data, unauthorized actions performed on behalf of the user, and the potential spread of malware or further attacks within the affected environment. Since Dify is an LLM app development platform, compromised user sessions could also lead to manipulation or leakage of proprietary AI models, training data, or intellectual property. The stored nature of the XSS means the malicious payload persists and affects multiple users, increasing the attack surface. Although the CVSS score is medium, the impact on confidentiality and integrity can be significant in environments where sensitive AI development and collaboration occur. Organizations relying on Dify for LLM app development, especially those with multiple users sharing chat content, face increased risk of data breaches and operational disruption if the vulnerability is exploited.

To mitigate this vulnerability, organizations should immediately upgrade all Dify installations to version 1.11.2 or later, where the Mermaid configuration uses a more secure securityLevel setting that prevents unsafe script execution. In addition, administrators should review and sanitize any existing Mermaid diagrams in chat histories to remove potentially malicious content. Implementing Content Security Policy (CSP) headers that restrict script execution sources can provide an additional layer of defense against XSS attacks. User education on the risks of interacting with untrusted chat content and diagrams is also important. For environments where immediate upgrade is not feasible, disabling Mermaid diagram rendering or restricting chat functionality to trusted users can reduce exposure. Regular security audits and monitoring for unusual chat activity or script execution attempts should be conducted to detect potential exploitation attempts early.