Skip to main content

Dify EUVDEUVD-2025-20208

| CVE-2025-3467 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2025-07-07 security@huntr.dev
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

5
EUVD ID Assigned
Mar 16, 2026 - 03:37 euvd
EUVD-2025-20208
Analysis Generated
Mar 16, 2026 - 03:37 vuln.today
Patch released
Mar 16, 2026 - 03:37 nvd
Patch available
PoC Detected
Jul 10, 2025 - 13:34 vuln.today
Public exploit code
CVE Published
Jul 07, 2025 - 10:15 nvd
MEDIUM 5.4

DescriptionCVE.org

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.

Analysis

An XSS vulnerability exists in langgenius/dify versions prior to 1.1.3, specifically affecting Firefox browsers. This vulnerability allows an attacker to obtain the administrator's token by sending a payload in the published chat. When the administrator views the conversation content through the monitoring/log function using Firefox, the XSS vulnerability is triggered, potentially exposing sensitive token information to the attacker.

Technical ContextAI

Cross-site scripting (XSS) allows injection of client-side scripts into web pages viewed by other users due to insufficient output encoding.

RemediationAI

A vendor patch is available — apply it immediately. Encode all user-supplied output contextually (HTML, JS, URL). Implement Content Security Policy (CSP) headers. Use HTTPOnly and Secure cookie flags.

More in Dify

View all
CVE-2025-56157 CRITICAL POC
9.8 Dec 18

Hard-coded default PostgreSQL credentials shipped in the docker-compose.yaml of langgenius Dify through version 1.5.1 al

CVE-2026-41948 CRITICAL POC
9.3 May 18

Path traversal in Dify versions 0 through 1.14.1 allows authenticated tenants to escape their authorized tenant path and

CVE-2026-41947 CRITICAL POC
9.3 May 18

Cross-tenant authorization bypass in LangGenius Dify versions through 1.14.1 lets any logged-in editor reroute another t

CVE-2025-1796 HIGH POC
8.8 Mar 20

A vulnerability in langgenius/dify v0.10.1 allows an attacker to take over any account, including administrator accounts

CVE-2026-61461 HIGH POC
8.7 Jul 10

SQL injection in Dify's MyScale vector store backend (versions before 1.16.0-rc1) lets authenticated attackers execute a

CVE-2026-41949 HIGH POC
8.2 May 18

Cross-tenant document disclosure in Dify 1.14.1 and prior allows any authenticated user to read up to 3,000 characters o

CVE-2024-12039 HIGH POC
8.1 Mar 20

langgenius/dify version v0.10.1 contains a vulnerability where there are no limits applied to the number of code guess a

CVE-2024-12776 HIGH POC
8.1 Mar 20

In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an

CVE-2025-43862 HIGH POC
7.6 Apr 25

Dify is an open-source LLM app development platform. Rated high severity (CVSS 7.6), this vulnerability is remotely expl

CVE-2024-11824 HIGH POC
7.6 Mar 20

A stored cross-site scripting (XSS) vulnerability exists in langgenius/dify version latest, specifically in the chat log

CVE-2024-11822 HIGH POC
7.5 Mar 20

langgenius/dify version 0.9.1 contains a Server-Side Request Forgery (SSRF) vulnerability. Rated high severity (CVSS 7.5

CVE-2025-3466 HIGH POC
7.2 Jul 07

CVE-2025-3466 is a security vulnerability (CVSS 7.2). Risk factors: public PoC available. Vendor patch is available.

Share

EUVD-2025-20208 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy