CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Vulnrichment•added 2026/02/11 9:23 p.m.•2 views

CVE-2026-26023 Client‑side DOM XSS in the web chat app of Dify when using echarts

5.3CVSS4.7AI score0.00246EPSS

CNNVD•added 2026/02/11 12:0 a.m.•4 views

dify 跨站脚本漏洞

dify is an open-source LLM application development platform developed by LangGenius. Versions of dify prior to 1.13.0 contained a cross-site scripting vulnerability. This vulnerability stemmed from insufficient validation of inputs when echarts was used in the web application chat front-end,...

6.1CVSS5.6AI score0.00246EPSS

VulnCheck KEV•added 2026/02/11 12:0 a.m.•14 views

VulnCheck KEV: CVE-2025-56520

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery SSRF via the component controllers.console.remotefiles.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720...

5.3CVSS5.8AI score0.00659EPSS

In wildExploits2References2

Nuclei•added 2026/02/04 7:0 a.m.•7 views

Dify - User Enumeration via "Account not found" Message

A user enumeration vulnerability exists in langgenius/dify, where the login API leaks information about whether a user account exists or not. When an invalid/non-existent email is used during login, the API returns a distinct error message such as "accountnotfound" or "Account not found.", allowi...

5.3CVSS4.5AI score0.00722EPSS

Exploits1References4

EUVD•added 2026/01/13 6:7 p.m.•5 views

EUVD-2026-2402

Malicious code in dify-api PyPI...

6.6AI score

OSSF Malicious Packages•added 2026/01/13 2:21 p.m.•10 views

Malicious code in dify-api (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a40038bb1837e98127f2e267d1932d1eeb641c93e855c50af9aa25002e28c76b Installing the package or importing the module exfiltrates basic information about the host, and the package has no other purpose. --- Category: PROBABLYPENTES...

7.5AI score

OSV•added 2026/01/13 2:21 p.m.•2 views

MAL-2026-248 Malicious code in dify-api (PyPI)

7.4AI score

RedhatCVE•added 2026/01/07 9:12 a.m.•4 views

CVE-2025-67732

Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited quotas. Version...

8.4CVSS6.6AI score0.00305EPSS

NVD•added 2026/01/05 10:15 p.m.•6 views

CVE-2025-67732

8.4CVSS0.00305EPSS

Cvelist•added 2026/01/05 9:41 p.m.•26 views

CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint

8.4CVSS0.00305EPSS

OSV•added 2026/01/05 9:41 p.m.•3 views

CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint

8.4CVSS6.6AI score0.00305EPSS

CVE•added 2026/01/05 9:41 p.m.•16 views

CVE-2025-67732

Dify (open-source LLM app platform) prior to v1.11.0 exposes API keys in plaintext to the frontend, allowing non-administrator users to view and reuse them. This can enable unauthorized access to third‑party services and potential quota abuse. A fix is available in v1.11.0 or later.

8.4CVSS6.3AI score0.00305EPSS

Exploits1References1Affected Software1

Vulnrichment•added 2026/01/05 9:41 p.m.•4 views

CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint

8.4CVSS6.3AI score0.00305EPSS

CNNVD•added 2026/01/05 12:0 a.m.•4 views

dify 安全漏洞

dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in versions of dify prior to 1.11.0, which stems from an API key being exposed in plaintext to the front-end, which could lead to unauthorized access to third-party services...

8.4CVSS6.4AI score0.00305EPSS

Positive Technologies•added 2026/01/05 12:0 a.m.•6 views

PT-2026-1341

Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.11.0 Description Dify is an open-source LLM app development platform. Before version 1.11.0, the API key was exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This could lead ...

8.4CVSS6.3AI score0.00305EPSS

Exploits1References7

RedhatCVE•added 2025/12/19 12:41 a.m.•5 views

CVE-2025-56157

Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL on TCP port 5432 exposed by default in version 1.0.1 or later...

9.8CVSS5.9AI score0.00813EPSS

RedhatCVE•added 2025/12/19 12:41 a.m.•4 views

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous...

7.5CVSS5.5AI score0.28042EPSS

RedhatCVE•added 2025/12/19 12:41 a.m.•11 views

CVE-2025-63386

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting arbitrary external domains t...

9.1CVSS5.7AI score0.00212EPSS