313 matches found
dify 安全漏洞
dify is an open-source LLM application development platform by LangGenius. Versions of dify prior to 1.14.1 have a security vulnerability. This vulnerability stems from an authorization bypass issue in the file preview endpoint, which allows any authenticated user to read the first 3,000 characte...
PT-2026-41676
Dify version 1.14.1 and prior contain an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access the...
CVE-2026-41950
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit...
CVE-2026-41950 Dify < 1.14.0 Authorization Bypass via File UUID
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit...
CVE-2026-41950
CVE-2026-41950 affects Dify before version 1.14.0. An authorization bypass in the chat-messages flow allows an authenticated user to read full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. The ro...
CVE-2026-41950 Dify < 1.14.0 Authorization Bypass via File UUID
Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request. Attackers can exploit...
dify 安全漏洞
Dify is an open-source LLM application development platform developed by LangGenius. Versions of Dify prior to 1.14.0 contained security vulnerabilities. These vulnerabilities were due to authorization bypass issues, which could allow authenticated users to read the complete contents of files...
CVE-2026-42138
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This...
CVE-2026-42138 Dify Vulnerable to Stored XSS via SVG-file upload
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This...
CVE-2026-42138
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This...
CVE-2026-42138 Dify Vulnerable to Stored XSS via SVG-file upload
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This...
EUVD-2026-27071
Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also vulnerable. This...
CVE-2026-42138
CVE-2026-42138 affects Dify (open-source LLM app development platform). Before v1.13.1, an SVG upload via POST /api/files/upload allowed unauthenticated XSS, and POST /v1/files/upload was also vulnerable when authenticated. The issue is patched in v1.13.1. Impact is stored XSS; remediation is upg...
PT-2026-36885
Name of the Vulnerable Software and Affected Versions Dify versions prior to 1.13.1 Description An issue exists in this open-source LLM app development platform where users can upload SVG files containing Cross-Site Scripting XSS, which is a technique that allows attackers to execute malicious...
dify 跨站脚本漏洞
Dify is an open-source LLM application development platform developed by LangGenius. Versions of Dify prior to 1.13.1 had a cross-site scripting vulnerability. This vulnerability stemmed from the POST /api/files/upload method, which allowed unauthenticated users to upload SVG files containing...
CVE-2026-34082
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps//conversations/ has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue...
CVE-2026-34082 Dify has IDOR in deleting someone else's chat conversation
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps//conversations/ has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue...
CVE-2026-34082
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps//conversations/ has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue...
CVE-2026-34082 Dify has IDOR in deleting someone else's chat conversation
Dify is an open-source LLM app development platform. Prior to 1.13.1, the method DELETE /console/api/installed-apps//conversations/ has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue...
CVE-2026-34082
CVE-2026-34082 affects the open-source platform Dify . A flaw in the authorization of the endpoint DELETE /console/api/installed-apps//conversations/ (prior to 1.13.1) allows any authenticated user to delete another user’s chat history, an IDOR-type vulnerability. This could enable unauthorized a...