CVE-2026-6619

| EUVD-2026-23809 MEDIUM
2026-04-20 VulDB
XSS
5.1
CVSS 4.0
Share

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
P
Scope
X

Lifecycle Timeline

3
Severity Changed
Apr 20, 2026 - 09:37 NVD
LOW MEDIUM
CVSS Changed
Apr 20, 2026 - 09:37 NVD
3.5 (LOW) 5.1 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 08:57 vuln.today

DescriptionNVD

A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Cross-site scripting in Dify's ImagePreview component (web/app/components/base/image-uploader/image-preview.tsx) allows authenticated users to inject malicious scripts via the filename argument in the openInNewTab function, affecting versions up to 1.13.3. The vulnerability requires user interaction (UI:R) and authenticated access (PR:L), limiting impact to low integrity compromise with no confidentiality or availability impact. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-6619 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy