CVE-2026-41949
- EPSS 0.44%
- Veröffentlicht 18.05.2026 13:52:03
- Zuletzt bearbeitet 22.06.2026 18:16:37
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's ...
CVE-2026-41948
- EPSS 0.51%
- Veröffentlicht 18.05.2026 13:50:21
- Zuletzt bearbeitet 22.06.2026 18:16:37
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse ou...
CVE-2026-41947
- EPSS 0.45%
- Veröffentlicht 18.05.2026 13:48:03
- Zuletzt bearbeitet 22.06.2026 18:16:36
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership...
CVE-2026-34082
- EPSS 0.19%
- Veröffentlicht 20.04.2026 23:16:24
- Zuletzt bearbeitet 23.04.2026 15:12:29
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else...
CVE-2026-21866
- EPSS 0.22%
- Veröffentlicht 03.03.2026 21:42:25
- Zuletzt bearbeitet 05.03.2026 21:24:07
Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which all...
CVE-2026-28288
- EPSS 0.64%
- Veröffentlicht 27.02.2026 20:25:24
- Zuletzt bearbeitet 09.03.2026 20:23:10
Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.
CVE-2026-26023
- EPSS 0.25%
- Veröffentlicht 11.02.2026 21:23:09
- Zuletzt bearbeitet 13.02.2026 15:04:10
Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript ...
CVE-2025-67732
- EPSS 0.31%
- Veröffentlicht 05.01.2026 21:41:01
- Zuletzt bearbeitet 12.01.2026 18:20:15
Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, po...
CVE-2025-63388
- EPSS 0.2%
- Veröffentlicht 18.12.2025 00:00:00
- Zuletzt bearbeitet 28.01.2026 17:16:07
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-...
CVE-2025-63386
- EPSS 0.21%
- Veröffentlicht 18.12.2025 00:00:00
- Zuletzt bearbeitet 11.02.2026 15:16:16
A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentia...