CVE-2026-61461
- EPSS 0.36%
- Veröffentlicht 10.07.2026 18:10:35
- Zuletzt bearbeitet 10.07.2026 20:16:49
Dify before 1.16.0-rc1 contains a SQL injection vulnerability in the MyScale vector store backend that allows attackers to execute arbitrary SQL by supplying unsanitized search parameters to the search_by_full_text method without escaping or paramete...
CVE-2026-41949
- EPSS 0.44%
- Veröffentlicht 18.05.2026 13:52:03
- Zuletzt bearbeitet 22.06.2026 18:16:37
Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's ...
CVE-2026-41948
- EPSS 0.51%
- Veröffentlicht 18.05.2026 13:50:21
- Zuletzt bearbeitet 22.06.2026 18:16:37
Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse ou...
CVE-2026-41947
- EPSS 0.45%
- Veröffentlicht 18.05.2026 13:48:03
- Zuletzt bearbeitet 22.06.2026 18:16:36
Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership...
CVE-2026-41950
- EPSS 0.33%
- Veröffentlicht 05.05.2026 21:16:23
- Zuletzt bearbeitet 22.06.2026 18:16:37
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a ch...
CVE-2026-42138
- EPSS 0.24%
- Veröffentlicht 04.05.2026 17:34:36
- Zuletzt bearbeitet 11.05.2026 21:08:32
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through t...
CVE-2026-34082
- EPSS 0.19%
- Veröffentlicht 20.04.2026 23:16:24
- Zuletzt bearbeitet 23.04.2026 15:12:29
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else...
CVE-2026-6619
- EPSS 0.21%
- Veröffentlicht 20.04.2026 08:00:17
- Zuletzt bearbeitet 29.04.2026 01:00:01
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads ...
CVE-2026-6618
- EPSS 0.21%
- Veröffentlicht 20.04.2026 07:45:16
- Zuletzt bearbeitet 29.04.2026 01:00:01
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argum...
CVE-2026-6617
- EPSS 0.2%
- Veröffentlicht 20.04.2026 07:30:12
- Zuletzt bearbeitet 29.04.2026 01:00:01
A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function get_api_tool_provider_remote_schema of the file api/services/tools/api_tools_manage_service.py of the component ApiToolManageService. Performing a ma...