VYPR
Vendor

Langgenius

Products
1
CVEs
41
Across products
41
Status
Private

Products

1

Recent CVEs

41
View all 41 CVEs →
  • CVE-2026-41948CriMay 18, 2026
    risk 0.54cvss 9.4epss 0.01

    Dify version 1.14.1 and prior contain a path traversal vulnerability that allows authenticated users to manipulate requests forwarded to the Plugin Daemon's internal REST API by exploiting insufficient URL path sanitization. Attackers can traverse out of their authorized tenant…

  • CVE-2026-41947CriMay 18, 2026
    risk 0.52cvss 9.1epss 0.00

    Dify before version 1.14.2 contains an authorization bypass vulnerability that allows authenticated editor users to set and enable trace configurations for any application regardless of tenant ownership. Attackers can exploit missing tenant ownership checks in the trace…

  • CVE-2026-6618MedApr 20, 2026
    risk 0.41cvss 6.3epss 0.00

    A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to…

  • CVE-2026-41950MedMay 5, 2026
    risk 0.35cvss 6.5epss 0.00

    Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of files uploaded by other users within the same tenant by supplying an arbitrary file UUID in the files array of a chat-messages request.…

  • CVE-2026-6617MedApr 20, 2026
    risk 0.34cvss 6.3epss 0.00

    A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function get_api_tool_provider_remote_schema of the file api/services/tools/api_tools_manage_service.py of the component ApiToolManageService. Performing a manipulation of the argument…

  • CVE-2026-42138MedMay 4, 2026
    risk 0.33cvss 6.1epss 0.00

    Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated user can upload an SVG file with XSS. The method POST /v1/files/upload, which requires authentication through the application API, is also…

  • CVE-2026-41949MedMay 18, 2026
    risk 0.31cvss 5.9epss 0.00

    Dify before version 1.14.2 contains an authorization bypass vulnerability in the file preview endpoint that allows any authenticated user to read up to 3,000 characters of any uploaded document across all tenants and workspaces using only the file's UUID. Attackers can access…

  • CVE-2026-6619LowApr 20, 2026
    risk 0.23cvss 3.5epss 0.00

    A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The…

  • CVE-2026-34082MedApr 20, 2026
    risk 0.21cvss 4.3epss 0.00

    Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps//conversations/` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version…

  • CVE-2025-63387Dec 18, 2025
    risk 0.02cvss epss 0.28

    Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks,…

  • CVE-2026-21866Mar 3, 2026
    risk 0.00cvss epss 0.00

    Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe…

  • CVE-2026-28288Feb 27, 2026
    risk 0.00cvss epss 0.01

    Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

  • CVE-2026-26023Feb 11, 2026
    risk 0.00cvss epss 0.00

    Dify is an open-source LLM app development platform. Prior to 1.13.0, a cross site scripting vulnerability has been found in the web application chat frontend when using echarts. User or llm inputs containing echarts containing a specific javascript payload will be executed.…

  • CVE-2025-67732Jan 5, 2026
    risk 0.00cvss epss 0.00

    Dify is an open-source LLM app development platform. Prior to version 1.11.0, the API key is exposed in plaintext to the frontend, allowing non-administrator users to view and reuse it. This can lead to unauthorized access to third-party services, potentially consuming limited…

  • CVE-2025-63386Dec 18, 2025
    risk 0.00cvss epss 0.00

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The endpoint implements an insecure CORS policy that reflects any Origin header and enables Access-Control-Allow-Credentials: true, permitting…

  • CVE-2025-56157Dec 18, 2025
    risk 0.00cvss epss 0.01

    Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source code. NOTE: the Supplier reports that the Docker configuration does not make PostgreSQL (on TCP port 5432) exposed by default in version…

  • CVE-2025-63388Dec 18, 2025
    risk 0.00cvss epss 0.00

    A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials:…

  • CVE-2025-11750Oct 22, 2025
    risk 0.00cvss epss 0.01

    In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or…

  • CVE-2025-58747Oct 17, 2025
    risk 0.00cvss epss 0.05

    Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the…

  • CVE-2025-56520Sep 30, 2025
    risk 0.00cvss epss 0.01

    Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.