Langgenius

Dify

19 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6

CVE-2025-59422

  • EPSS 0.04%
  • Veröffentlicht 25.09.2025 14:15:45
  • Zuletzt bearbeitet 26.09.2025 14:32:53

Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10 endpoint allows users in the same workspace to read...

5.4

CVE-2025-3467

Exploit
  • EPSS 0.04%
  • Veröffentlicht 07.07.2025 09:56:19
  • Zuletzt bearbeitet 10.07.2025 13:34:32

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administra...

7.2

CVE-2025-3466

Exploit
  • EPSS 0.17%
  • Veröffentlicht 07.07.2025 09:55:28
  • Zuletzt bearbeitet 10.07.2025 15:01:31

langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such ...

6.1

CVE-2025-49149

Exploit
  • EPSS 0.05%
  • Veröffentlicht 17.06.2025 22:34:24
  • Zuletzt bearbeitet 01.08.2025 22:13:08

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a c...

6.1

CVE-2025-43854

  • EPSS 0.03%
  • Veröffentlicht 28.04.2025 15:58:54
  • Zuletzt bearbeitet 12.05.2025 19:37:01

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page witho...

7.6

CVE-2025-43862

Exploit
  • EPSS 0.06%
  • Veröffentlicht 25.04.2025 15:05:32
  • Zuletzt bearbeitet 01.08.2025 22:00:11

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for a normal user. This access control flaw allow...

6.5

CVE-2025-32796

Exploit
  • EPSS 0.06%
  • Veröffentlicht 18.04.2025 16:15:23
  • Zuletzt bearbeitet 30.04.2025 16:12:32

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and norm...

6.5

CVE-2025-32795

Exploit
  • EPSS 0.04%
  • Veröffentlicht 18.04.2025 16:15:23
  • Zuletzt bearbeitet 19.06.2025 00:25:59

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows ...

4.3

CVE-2025-32790

Exploit
  • EPSS 0.04%
  • Veröffentlicht 18.04.2025 12:15:11
  • Zuletzt bearbeitet 19.06.2025 00:36:04

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow admini...

4.8

CVE-2025-29720

Exploit
  • EPSS 0.01%
  • Veröffentlicht 14.04.2025 00:00:00
  • Zuletzt bearbeitet 18.06.2025 13:40:32

Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi.