Dify

Dify

16 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
Exploit
  • EPSS 0.79%
  • Veröffentlicht 18.12.2025 00:00:00
  • Zuletzt bearbeitet 05.07.2026 02:16:57

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) expos...

  • EPSS 28.04%
  • Veröffentlicht 18.12.2025 00:00:00
  • Zuletzt bearbeitet 22.01.2026 20:16:09

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement ...

Exploit
  • EPSS 0.65%
  • Veröffentlicht 30.09.2025 17:15:41
  • Zuletzt bearbeitet 07.10.2025 13:20:03

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.

Exploit
  • EPSS 0.15%
  • Veröffentlicht 14.04.2025 00:00:00
  • Zuletzt bearbeitet 18.06.2025 13:40:32

Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi.

Exploit
  • EPSS 0.56%
  • Veröffentlicht 20.03.2025 10:09:14
  • Zuletzt bearbeitet 01.04.2025 20:35:15

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. The vulnerability exists due to improper handling of the api_endpoint parameter, allowing an attacker to make direct requests to internal network services. Thi...

Exploit
  • EPSS 0.98%
  • Veröffentlicht 20.03.2025 10:09:11
  • Zuletzt bearbeitet 27.03.2025 19:18:14

A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function `vn.get_training_plan_generic(df_information_schema)`, which does no...