313 matches found
CVE-2025-29720
Dify v1.0 was discovered to contain a Server-Side Request Forgery SSRF via the component controllers.console.remotefiles.RemoteFileUploadApi...
CVE-2025-29720
Dify v1.0 was discovered to contain a Server-Side Request Forgery SSRF via the component controllers.console.remotefiles.RemoteFileUploadApi...
PT-2025-16259 · Dify · Dify
Name of the Vulnerable Software and Affected Versions: Dify version 1.0 Description: The issue is related to a Server-Side Request Forgery SSRF via the component controllers.console.remote files.RemoteFileUploadApi. This allows for potential unauthorized access to internal resources...
CVE-2025-29720
Dify v1.0 was discovered to contain a Server-Side Request Forgery SSRF via the component controllers.console.remotefiles.RemoteFileUploadApi...
dify 安全漏洞
dify is an open source LLM application development platform from LangGenius Open Source. A security vulnerability exists in dify v1.0, which stems from a server-side request forgery in the component controllers.console.remotefiles.RemoteFileUploadApi...
CVE-2025-29720
Dify v1.0 was discovered to contain a Server-Side Request Forgery SSRF via the component controllers.console.remotefiles.RemoteFileUploadApi...
CVE-2025-29720
CVE-2025-29720 describes a Server-Side Request Forgery (SSRF) in Dify via controllers.console.remote_files.RemoteFileUploadApi affecting Dify v1.0 (and references to v1.6.0 in related advisories). The underlying issue is a component exposure that can be triggered locally with user interaction req...
CVE-2025-0184
A Server-Side Request Forgery SSRF vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...
CVE-2024-12775
langgenius/dify version 0.10.1 contains a Server-Side Request Forgery SSRF vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's...
CVE-2024-11821
A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint...
CVE-2024-11822
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery SSRF vulnerability. The vulnerability exists due to improper handling of the apiendpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal...
CVE-2024-11824
A stored cross-site scripting XSS vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like and are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an adm...
CVE-2025-1796
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator PRNG used for generating password reset codes. The application uses random.randint for this purpose, which is not suitable...
CVE-2025-0185
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function vn.gettrainingplangenericdfinformationschema, which does not properly sanitize user inputs before executing queries...
CVE-2024-12776
In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application...
CVE-2024-12039
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting i...
CVE-2025-1796
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator PRNG used for generating password reset codes. The application uses random.randint for this purpose, which is not suitable...
CVE-2025-1796
A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator PRNG used for generating password reset codes. The application uses random.randint for this purpose, which is not suitable...
CVE-2025-0185
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function vn.gettrainingplangenericdfinformationschema, which does not properly sanitize user inputs before executing queries...
CVE-2025-0184
A Server-Side Request Forgery SSRF vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...