cvedb.io
CVE-2025-49149
MEDIUM · CVSS 6.1
EPSS exploitation probability: 0%
Published 2025-06-17T23:15:30.570 · Last modified 2026-06-17T09:30:49.883

Summary

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user browses these web pages. At time of posting, there is no known patched version.

Affected products

langgenius — dify

Does this affect you?

Add your gear to cvedb and we'll alert you only when langgenius ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.