Lucene search

K

18 matches found

CVE
CVE
added 2025/03/20 10:15 a.m.59 views

CVE-2024-12775

langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom Tool option via the REST API POST /console/api/workspaces/current/tool-provider/api/test/pre. Attackers can set the url in the servers dictionary in OpenAI's sc...

6.5CVSS6.6AI score0.00052EPSS
CVE
CVE
added 2025/04/14 5:15 p.m.58 views

CVE-2025-29720

Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi.

4.8CVSS7.5AI score0.00015EPSS
CVE
CVE
added 2025/04/18 4:15 p.m.58 views

CVE-2025-32795

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users are improperly granted permissions to edit APP names, descriptions and icons. This access control flaw allows non-admin users to modify app details, despite be...

6.5CVSS7AI score0.00033EPSS
CVE
CVE
added 2025/04/18 4:15 p.m.57 views

CVE-2025-32796

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users can enable or disable apps through the API, even though the web UI button for this action is disabled and normal users are not permitted to make such changes. ...

6.5CVSS6.9AI score0.0005EPSS
CVE
CVE
added 2025/04/18 1:15 p.m.55 views

CVE-2025-32790

Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where normal users are improperly granted permissions to export APP DSL. The feature in '/export' should only allow administrator users to export DSL. A workaround for thi...

6.3CVSS6.1AI score0.00039EPSS
CVE
CVE
added 2025/04/28 4:15 p.m.51 views

CVE-2025-43854

DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of the DIFY application, allowing malicious actors to trick users into clicking on elements of the web page without their knowledge or consent. This can lead to u...

6.1CVSS7AI score0.00036EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.50 views

CVE-2025-1796

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a weak pseudo-random number generator (PRNG) used for generating password reset codes. The application uses random.randint for this purpose, which is not suitable ...

8.8CVSS7AI score0.00079EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.46 views

CVE-2025-0184

A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the 'Create Knowledge' section when uploading DOCX files. If an external relationship exists in the DOCX file, the reltype value is requested as a URL using the 'requests...

6.5CVSS6.9AI score0.00053EPSS
CVE
CVE
added 2025/04/25 3:15 p.m.44 views

CVE-2025-43862

Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration, even though the web UI of APP orchestration is not presented for a normal user. This access control flaw allows non-admin users to make unauthorized access and...

7.6CVSS7.5AI score0.00049EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.38 views

CVE-2024-10252

A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This vulnerability enables an attacker to execute arbitrary Python code with root privileges within the sandbox environment, potentially leading to the deletion ...

8.8CVSS9.1AI score0.00081EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.38 views

CVE-2024-11824

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The vulnerability arises because certain HTML tags like <input> and <form> are not disallowed, allowing an attacker to inject malicious HTML into the l...

7.6CVSS5.3AI score0.00057EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.37 views

CVE-2024-11850

A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper validation and sanitization of user input in SVG markdown support within the chatbot feature. An attacker can exploit this vulnerability by injecting malicious SVG...

6.8CVSS6.2AI score0.00054EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.36 views

CVE-2024-12039

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for password reset. This allows an unauthenticated attacker to reset owner, admin, or other user passwords within a few hours by guessing the six-digit code, resulting in ...

8.1CVSS7.3AI score0.00146EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.35 views

CVE-2024-11821

A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate instructions for a chatbot created by an admin user. The issue arises because the application does not properly enforce access controls on the endpoint /consol...

4.3CVSS4.8AI score0.00053EPSS
CVE
CVE
added 2025/03/20 10:15 a.m.35 views

CVE-2024-12776

In langgenius/dify v0.10.1, the /forgot-password/resets endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.

8.1CVSS8.1AI score0.00089EPSS
CVE
CVE
added 2025/07/07 10:15 a.m.7 views

CVE-2025-3466

langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with full root permissions. The vulnerability arises from the ability to override global functions in JavaScript, such as parseInt, before sandbox security restrictions...

9.8CVSS9.6AI score0.00112EPSS
CVE
CVE
added 2025/07/07 10:15 a.m.7 views

CVE-2025-3467

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the mo...

8CVSS7.3AI score0.00032EPSS
CVE
CVE
added 2025/06/17 11:15 p.m.4 views

CVE-2025-49149

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user brow...

5.3CVSS5.9AI score0.00067EPSS