Every CVE whose affected-product data names Langgenius Dify, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (27)
CVE-2025-56157 — CVSS 9.8 (critical): Default credentials in Dify thru 1.5.1. PostgreSQL username and password specified in the docker-compose.yaml file included in its source…
CVE-2025-63388 — CVSS 9.1 (critical): A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint…
CVE-2025-63386 — CVSS 9.1 (critical): A Cross-Origin Resource Sharing (CORS) misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/setup endpoint. The…
CVE-2025-1796 — CVSS 8.8 (high): A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts, by exploiting a…
CVE-2024-12039 — CVSS 8.1 (high): langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess attempts for…
CVE-2024-12776 — CVSS 8.1 (high): In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset…
CVE-2025-43862 — CVSS 7.6 (high): Dify is an open-source LLM app development platform. Prior to version 0.6.12, a normal user is able to access and modify APP orchestration…
CVE-2024-11824 — CVSS 7.6 (high): A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log functionality. The…
CVE-2025-63387 — CVSS 7.5 (high): Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the…
CVE-2024-10252 — CVSS 7.2 (high): A vulnerability in langgenius/dify versions <=v0.9.1 allows for code injection via internal SSRF requests in the Dify sandbox service. This…
CVE-2025-3466 — CVSS 7.2 (high): langgenius/dify versions 1.1.0 to 1.1.2 are vulnerable to unsanitized input in the code node, allowing execution of arbitrary code with…
CVE-2025-32796 — CVSS 6.5 (medium): Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users…
CVE-2024-12775 — CVSS 6.5 (medium): langgenius/dify version 0.10.1 contains a Server-Side Request Forgery (SSRF) vulnerability in the test functionality for the Create Custom…
CVE-2025-0184 — CVSS 6.5 (medium): A Server-Side Request Forgery (SSRF) vulnerability was identified in langgenius/dify version 0.10.2. The vulnerability occurs in the…
CVE-2025-32795 — CVSS 6.5 (medium): Dify is an open-source LLM app development platform. Prior to version 0.6.12, a vulnerability was identified in the DIFY where normal users…
CVE-2026-41950 — CVSS 6.5 (medium): Dify before version 1.14.0 contains an authorization bypass vulnerability that allows authenticated users to read the full contents of…
CVE-2025-32790 — CVSS 6.3 (medium): Dify is an open-source LLM app development platform. In versions 0.6.8 and prior, a vulnerability was identified in the DIFY AI where…
CVE-2026-42138 — CVSS 6.1 (medium): Dify is an open-source LLM app development platform. Prior to version 1.13.1, using the method POST /api/files/upload, any unauthenticated…
CVE-2025-49149 — CVSS 6.1 (medium): Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications…
CVE-2025-43854 — CVSS 6.1 (medium): DIFY is an open-source LLM app development platform. Prior to version 1.3.0, a clickjacking vulnerability was found in the default setup of…
CVE-2025-58747 — CVSS 6.1 (medium): Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site…
CVE-2025-3467 — CVSS 5.4 (medium): An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows…
CVE-2024-11850 — CVSS 5.4 (medium): A stored cross-site scripting (XSS) vulnerability exists in the latest version of langgenius/dify. The vulnerability is due to improper…
CVE-2025-11750 — CVSS 5.3 (medium): In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error…
CVE-2025-29720 — CVSS 4.8 (medium): Dify v1.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUpload…
CVE-2024-11821 — CVSS 4.3 (medium): A privilege escalation vulnerability exists in langgenius/dify version 0.9.1. This vulnerability allows a normal user to modify Orchestrate…
CVE-2025-59422 — CVSS 3.1 (low): Dify is an open-source LLM app development platform. In version 1.8.1, a broken access control vulnerability on the /console/api/apps/<APP_I…