68 matches found
EUVD-2026-23805
A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function getapitoolproviderremoteschema of the file api/services/tools/apitoolsmanageservice.py of the component ApiToolManageService. Performing a manipulation of the argument url results in server-side...
CVE-2026-6619
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be...
CVE-2026-6618
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...
CVE-2026-6617
A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function getapitoolproviderremoteschema of the file api/services/tools/apitoolsmanageservice.py of the component ApiToolManageService. Performing a manipulation of the argument url results in server-side...
CVE-2026-6619 langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be...
CVE-2026-6619
The CVE affects langgenius dify up to version 1.13.3, specifically the ImagePreview component’s openInNewTab in web/app/components/base/image-uploader/image-preview.tsx. The vulnerability arises from manipulating the filename argument, enabling cross-site scripting. Impact is described as remote ...
CVE-2026-6618
Summary (CVE-2026-6618): A flaw in langgenius dify up to 1.13.3 affects the component ApiBasedToolSchemaParser, specifically parse_openai_plugin_json_to_tool_bundle in api/core/tools/utils/parser.py. The issue allows an attacker to manipulate the argument url to trigger a server-side request forg...
CVE-2026-6617
A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function getapitoolproviderremoteschema of the file api/services/tools/apitoolsmanageservice.py of the component ApiToolManageService. Performing a manipulation of the argument url results in server-side...
PT-2026-33734
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be...
PT-2026-33733
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse openai plugin json to tool bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery...
CVE-2025-11750
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system...
EUVD-2025-20208
Malicious code in bioql PyPI...
EUVD-2025-6834
Malicious code in bioql PyPI...
EUVD-2025-7040
Malicious code in bioql PyPI...
EUVD-2025-7037
Malicious code in bioql PyPI...
CVE-2025-3467
An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the...
CVE-2025-3466
langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictio...
CVE-2025-3467
An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the...
CVE-2025-3467
An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the...
CVE-2025-3466
langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictio...