CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

313 matches found

CVE•added 2025/10/17 3:48 p.m.•22 views

CVE-2025-58747

CVE-2025-58747 affects Dify up to version 1.9.1, where the MCP OAuth flow passes the remote server’s authorization_url directly to window.open without validation, enabling arbitrary JavaScript execution (XSS) when a victim connects to a malicious MCP server. Affected component: MCP OAuth in Dify....

6.1CVSS6.3AI score0.05233EPSS

Exploits1References2Affected Software1

Cvelist•added 2025/10/17 3:48 p.m.•9 views

CVE-2025-58747 Dify MCP OAuth Flow Vulnerable to XSS

Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorizationurl...

5.1CVSS0.05233EPSS

Exploits1References2

CNNVD•added 2025/10/17 12:0 a.m.•3 views

Dify 跨站脚本漏洞

Dify is an open source LLM application development platform from LangGenius Open Source. A cross-site scripting vulnerability exists in Dify 1.9.1 and earlier versions, which stems from a failure to validate or clean up the authorizationurl in the implementation of the OAuth process, which could...

6.1CVSS6AI score0.05233EPSS

Exploits1References3

EUVD•added 2025/10/04 2:19 p.m.•2 views

EUVD-2025-32433

Malicious code in dify-web npm...

6.6AI score

Exploits0

OSSF Malicious Packages•added 2025/10/04 2:19 p.m.•3 views

Malicious code in dify-web (npm)

--- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis d98e6fba7e9370347c73e0d316cbd3fb83b1cb2e50f5e17a6423d321afa21a59 The OpenSSF Package Analysis project identified 'dify-web' @ 2.0.0 npm as malicious. It is considered malicious because: - The package...

6.9AI score

Exploits0