Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

langgenius — Vulnerabilities & Security Advisories 32

Browse all 32 CVE security advisories affecting langgenius. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Langgenius operates as an open-source, self-hosted large language model application development platform, enabling organizations to build and deploy custom AI interfaces. With thirty-two recorded Common Vulnerabilities and Exposures, the software has historically exhibited significant security flaws, primarily involving remote code execution, cross-site scripting, and broken access control mechanisms. These vulnerabilities often stem from improper input validation and insufficient authentication checks within the application’s API layers. Notably, several incidents have highlighted critical privilege escalation risks, allowing unauthorized users to gain administrative access or execute arbitrary commands on the host system. The platform’s architecture, which relies heavily on external dependencies and complex integrations, has contributed to its attack surface. While designed for enterprise flexibility, these recurring security issues underscore the necessity for rigorous patch management and strict configuration controls to mitigate potential exploitation by malicious actors seeking to compromise underlying infrastructure.

Top products by langgenius: dify langgenius/dify
CVE IDTitleCVSSSeverityPublished
CVE-2026-41950 Dify < 1.14.0 Authorization Bypass via File UUID — difyCWE-639 6.5 Medium2026-05-05
CVE-2026-42138 Dify Vulnerable to Stored XSS via SVG-file upload — difyCWE-79 6.1 -2026-05-04
CVE-2026-34082 Dify has IDOR in deleting someone else's chat conversation — difyCWE-863 4.3AIMediumAI2026-04-20
CVE-2026-6619 langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting — difyCWE-79 3.5 Low2026-04-20
CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery — difyCWE-918 6.3 Medium2026-04-20
CVE-2026-6617 langgenius dify ApiToolManageService api_tools_manage_service.py get_api_tool_provider_remote_schema server-side request forgery — difyCWE-918 6.3 Medium2026-04-20
CVE-2026-21866 Dify - Stored XSS in chat — difyCWE-79 5.4AIMediumAI2026-03-03
CVE-2026-28288 Dify has a user enumeration issue — difyCWE-204 5.3 -2026-02-27
CVE-2026-26023 Client‑side DOM XSS in the web chat app of Dify when using echarts — difyCWE-79 6.1AIMediumAI2026-02-11
CVE-2025-67732 Dify Vulnerable to Plaintext API Key Exposure via Model Provider Configuration Endpoint — difyCWE-200 5.4 -2026-01-05
CVE-2025-11750 User Enumeration via Distinct Error Messages in langgenius/dify-web — langgenius/difyCWE-544 8.2AIHighAI2025-10-22
CVE-2025-58747 Dify MCP OAuth Flow Vulnerable to XSS — difyCWE-79 6.1AIMediumAI2025-10-17
CVE-2025-59422 Dify Has Broken Access Control on Log Message Endpoint Allows Reading of Chats of Others — difyCWE-284 4.3AIMediumAI2025-09-25
CVE-2025-3467 XSS Vulnerability in langgenius/dify — langgenius/difyCWE-79 6.1AIMediumAI2025-07-07
CVE-2025-3466 Unsanitized Input in langgenius/dify — langgenius/difyCWE-1100 9.8AICriticalAI2025-07-07
CVE-2025-49149 Dify has XSS vulnerability — difyCWE-79 6.1AIMediumAI2025-06-17
CVE-2025-43854 DIFY vulnerable to Clickjacking Attack — difyCWE-1021 6.1AIMediumAI2025-04-28
CVE-2025-43862 Dify Allows Unauthorized Access and Modification of APP Orchestration — difyCWE-284 7.6 High2025-04-25
CVE-2025-32796 Dify Allows Unauthorized APP Enable/Disable via API — difyCWE-284 6.5 Medium2025-04-18
CVE-2025-32795 Dify Allows Insecure User Role Access Control for APP Editing — difyCWE-284 6.5 Medium2025-04-18
CVE-2025-32790 Dify Allows Insecure User Role Access Control for APP DSL Exporting — difyCWE-284 6.3 Medium2025-04-18
CVE-2025-0184 Server-Side Request Forgery (SSRF) in langgenius/dify — langgenius/difyCWE-918 9.1 -2025-03-20
CVE-2024-11850 Stored XSS in langgenius/dify — langgenius/difyCWE-79 5.4 -2025-03-20
CVE-2024-12776 Authentication Bypass in langgenius/dify — langgenius/difyCWE-305 9.8 -2025-03-20
CVE-2024-10252 Code Injection in langgenius/dify — langgenius/difyCWE-94 9.8 -2025-03-20
CVE-2024-12039 Improper Restriction of Excessive Authentication Attempts in langgenius/dify — langgenius/difyCWE-307 9.8 -2025-03-20
CVE-2024-12775 SSRF in langgenius/dify — langgenius/difyCWE-918 9.1 -2025-03-20
CVE-2024-11822 Server-Side Request Forgery (SSRF) in langgenius/dify — langgenius/difyCWE-918 7.5 -2025-03-20
CVE-2025-0185 Pandas Query Injection in langgenius/dify — langgenius/difyCWE-94 9.8 -2025-03-20
CVE-2024-11824 Stored XSS in langgenius/dify — langgenius/difyCWE-79 5.4 -2025-03-20

This page lists every published CVE security advisory associated with langgenius. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.