Langgenius

Dify

19 vulnerabilities found.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
6

CVE-2025-59422

  • EPSS 0.04%
  • Published 25.09.2025 14:15:45
  • Last modified 26.09.2025 14:32:53

Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_ID>chat-messages?conversation_id=<CONVERSATION_ID>&limit=10 endpoint allows users in the same workspace to read...

5.4

CVE-2025-3467

Exploit
  • EPSS 0.04%
  • Published 07.07.2025 09:56:19
  • Last modified 10.07.2025 13:34:32

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administra...

7.2

CVE-2025-3466

Exploit
  • EPSS 0.17%
  • Published 07.07.2025 09:55:28
  • Last modified 10.07.2025 15:01:31

langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such ...

6.1

CVE-2025-49149

Exploit
  • EPSS 0.05%
  • Published 17.06.2025 22:34:24
  • Last modified 01.08.2025 22:13:08

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a c...

6.1

CVE-2025-43854

  • EPSS 0.03%
  • Published 28.04.2025 15:58:54
  • Last modified 12.05.2025 19:37:01

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page witho...

7.6

CVE-2025-43862

Exploit
  • EPSS 0.06%
  • Published 25.04.2025 15:05:32
  • Last modified 01.08.2025 22:00:11

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for a normal user. This access control flaw allow...

6.5

CVE-2025-32796

Exploit
  • EPSS 0.06%
  • Published 18.04.2025 16:15:23
  • Last modified 30.04.2025 16:12:32

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and norm...

6.5

CVE-2025-32795

Exploit
  • EPSS 0.04%
  • Published 18.04.2025 16:15:23
  • Last modified 19.06.2025 00:25:59

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows ...

4.3

CVE-2025-32790

Exploit
  • EPSS 0.04%
  • Published 18.04.2025 12:15:11
  • Last modified 19.06.2025 00:36:04

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow admini...

4.8

CVE-2025-29720

Exploit
  • EPSS 0.01%
  • Published 14.04.2025 00:00:00
  • Last modified 18.06.2025 13:40:32

Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi.