8 matches found
CVE-2026-26023
CVE-2026-26023 affects Dify’s web chat frontend when using echarts prior to version 1.13.0, enabling a client-side DOM XSS via inputs containing a specific JavaScript payload. The vulnerability, exploitable with network access and passive user interaction, has no confidentiality/integrity/availab...
CVE-2025-11750
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...
CVE-2025-11750 User Enumeration via Distinct Error Messages in langgenius/dify-web
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...
CVE-2025-11750
CVE-2025-11750 affects langgenius/dify-web version 1.6.0. Multiple connected sources confirm an authentication flaw where login/registration error messages distinguish between non-existent vs. existing usernames or emails (e.g., “account not found”), enabling user enumeration. This can facilitate...
CVE-2025-11750 User Enumeration via Distinct Error Messages in langgenius/dify-web
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...
Malicious code in dify-web (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d98e6fba7e9370347c73e0d316cbd3fb83b1cb2e50f5e17a6423d321afa21a59 The OpenSSF Package Analysis project identified 'dify-web' @ 2.0.0 npm as malicious. It is considered malicious because: - The package...
EUVD-2025-32433
Malicious code in dify-web npm...
MAL-2025-47907 Malicious code in dify-web (npm)
--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d98e6fba7e9370347c73e0d316cbd3fb83b1cb2e50f5e17a6423d321afa21a59 The OpenSSF Package Analysis project identified 'dify-web' @ 2.0.0 npm as malicious. It is considered malicious because: - The package...