313 matches found
CVE-2025-0184
A Server-Side Request Forgery SSRF vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...
CVE-2025-0185
A vulnerability in the Dify Tools' Vanna module of the langgenius/dify repository allows for a Pandas Query Injection in the latest version. The vulnerability occurs in the function vn.gettrainingplangenericdfinformationschema, which does not properly sanitize user inputs before executing queries...
CVE-2024-12776
In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application...
CVE-2024-12775
langgenius/dify version 0.10.1 contains a Server-Side Request Forgery SSRF vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's...
CVE-2024-12039
langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting i...
CVE-2024-11824
A stored cross-site scripting XSS vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like and are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an adm...
CVE-2024-11850
A stored cross-site scripting XSS vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...
CVE-2024-11850
A stored cross-site scripting XSS vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...
CVE-2024-11822
langgenius/dify version 0.9.1 contains a Server-Side Request Forgery SSRF vulnerability. The vulnerability exists due to improper handling of the apiendpoint parameter, allowing an attacker to make direct requests to internal network services. This can lead to unauthorized access to internal...
CVE-2024-11824
A stored cross-site scripting XSS vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like and are not disallowed, allowing an attacker to inject malicious HTML into the log via prompts. When an adm...
CVE-2024-11821
A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint...
CVE-2024-10252
A vulnerability in langgenius/dify versions =v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion of...
CVE-2025-0184 Server-Side Request Forgery (SSRF) in langgenius/dify
A Server-Side Request Forgery SSRF vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...
CVE-2025-0184 Server-Side Request Forgery (SSRF) in langgenius/dify
A Server-Side Request Forgery SSRF vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...
CVE-2025-0184
CVE-2025-0184 describes an SSRF in langgenius/dify around the DOCX upload in the Create Knowledge flow (v0.10.2). The vulnerability triggers when a DOCX’s external relationship uses a reltype value fetched via the requests module instead of the SSRF proxy, enabling an attacker with access to the ...
CVE-2024-11850 Stored XSS in langgenius/dify
A stored cross-site scripting XSS vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...
CVE-2024-11850 Stored XSS in langgenius/dify
A stored cross-site scripting XSS vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...
CVE-2024-11850
CVE-2024-11850 describes a stored XSS vulnerability in the latest version of langgenius/dify, caused by improper validation/sanitization of user input in SVG markdown support within the chatbot feature. An attacker can inject malicious SVG content that executes JavaScript when viewed by an admin,...
CVE-2024-12776 Authentication Bypass in langgenius/dify
In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application...
CVE-2024-12776
CVE-2024-12776 affects langgenius/dify v0.10.1. The issue is that the /forgot-password/resets endpoint does not verify the password reset code, enabling an attacker to reset the password of any user, including administrators, potentially leading to full compromise of the application. Root cause: ...