CVE-2026-26023 is a cross-site scripting vulnerability classified under CWE-79, found in the langgenius dify platform, an open-source large language model (LLM) app development environment. The vulnerability affects dify versions prior to 1.13.0 and resides in the web application's chat frontend component, specifically when rendering charts using the echarts library. The flaw arises due to improper neutralization of input during web page generation, allowing malicious user or LLM-generated inputs containing specially crafted JavaScript payloads embedded within echarts data to be executed in the context of the victim's browser. This means that an attacker can inject script code that runs when a user views the chat interface, potentially stealing session tokens, performing actions on behalf of the user, or delivering further malicious payloads. The vulnerability does not require any privileges or authentication to exploit but does require the victim to interact with the malicious input, such as viewing a chat message containing the payload. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low complexity, no privileges required, but requiring user interaction. The vulnerability was publicly disclosed on February 11, 2026, and fixed in dify version 1.13.0. No known exploits have been reported in the wild to date. The root cause is insufficient input sanitization and output encoding when integrating user or LLM inputs into echarts visualizations within the chat frontend, allowing script injection. This highlights the risk of rendering untrusted input directly in dynamic JavaScript-based charting components without proper escaping or sanitization.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary JavaScript code in the browsers of users interacting with the vulnerable dify chat frontend. This can lead to theft of sensitive information such as session cookies, credentials, or personal data, unauthorized actions performed on behalf of the user, and the delivery of further malware or phishing content. For organizations, this could result in compromised user accounts, data breaches, reputational damage, and potential regulatory penalties if personal data is exposed. Since dify is an LLM app development platform, attackers might also manipulate or disrupt AI-driven workflows or data integrity by injecting malicious scripts. The medium severity score reflects that while the vulnerability requires user interaction and does not grant direct system access, the scope of affected users and the sensitive nature of chat applications can amplify the impact. Organizations deploying dify in production environments, especially those exposing chat interfaces to external users or customers, face increased risk. The lack of known exploits in the wild suggests limited current active exploitation, but the vulnerability’s presence in open-source software means it could be discovered and weaponized by attackers in the future.

To mitigate this vulnerability, organizations should immediately upgrade langgenius dify to version 1.13.0 or later, where the issue is fixed. In addition to patching, developers should implement strict input validation and output encoding for all user and LLM inputs rendered in the chat frontend, especially those integrated into echarts visualizations. Employ a whitelist approach to allowed characters or data formats for chart inputs to prevent injection of executable code. Use security-focused libraries or frameworks that automatically escape or sanitize dynamic content. Implement Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser context. Conduct thorough security testing, including automated scanning and manual code review, focusing on areas where user input is rendered in JavaScript or HTML contexts. Educate users about the risks of interacting with untrusted chat content and monitor logs for suspicious activity or attempts to inject scripts. Finally, maintain an incident response plan to quickly address any exploitation attempts.