Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-6619
3.5 LOW
- CVSS version: 3.1
- Attack vector (AV):
- Attack complexity (AC):
- Privileges required (PR):
- User interaction (UI):
- Scope (S):
- Confidentiality impact (C):
- Integrity impact (I):
- Availability impact (A):
Activity log
- Created suggestion
langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
-
VDB-358254 | langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting technical-descriptionvdb-entry
-
-
Submit #792242 | LangGenius Dify v1.13.3 Cross-Site Scripting (CWE-79) third-party-advisory
Affected products
dify
- ==1.13.3
- ==1.13.1
- ==1.13.2
- ==1.13.0
Matching in nixpkgs
pkgs.speedify
Use multiple internet connections in parallel
-
nixos-unstable 15.8.2-12611
- nixpkgs-unstable 15.8.2-12611
- nixos-unstable-small 15.8.2-12611
-
nixos-25.11 15.8.2-12611
- nixos-25.11-small 15.8.2-12611
- nixpkgs-25.11-darwin 15.8.2-12611
Package maintainers
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@zahrun Zahrun <zahrun@murena.io>