CVE ID: CVE-2025-63386 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / CORS Misconfiguration Severity: Medium (Information Disclosure)
Cristliu Cristliu
Cristliu
/ CVE-2025-63386-Disclosure.md
Created
December 18, 2025 07:27
CVE-2025-63386 Security Advisory - CORS Misconfiguration in Dify
Cristliu
/ CVE-2025-63391-Disclosure.md
Created
December 18, 2025 07:27
CVE-2025-63391 Security Advisory - Authentication Bypass in Open-WebUI
CVE ID: CVE-2025-63391 Date: 2025-12-18 Vendor: Open-WebUI Product: Open-WebUI Affected Versions: <= v0.6.32 Vulnerability Type: Insecure Permissions / Authentication Bypass Severity: Medium (Information Disclosure)
Cristliu
/ CVE-2025-63390-Disclosure.md
Created
December 18, 2025 07:27
CVE-2025-63390 Security Advisory - Authentication Bypass in AnythingLLM
CVE ID: CVE-2025-63390 Date: 2025-12-18 Vendor: Mintplex Labs Product: AnythingLLM Affected Versions: v1.8.5 Vulnerability Type: Insecure Permissions / Authentication Bypass Severity: High (Privilege Escalation, Information Disclosure)
Cristliu
/ CVE-2025-63389-Disclosure.md
Created
December 18, 2025 07:27
CVE-2025-63389 Security Advisory - Authentication Bypass in Ollama
CVE ID: CVE-2025-63389 Date: 2025-12-18 Vendor: Ollama Product: Ollama Affected Versions: <= v0.12.3 Vulnerability Type: Incorrect Access Control / Authentication Bypass Severity: Critical (Code Execution, Privilege Escalation, Information Disclosure)
Cristliu
/ CVE-2025-63388-Disclosure.md
Created
December 18, 2025 07:27
CVE-2025-63388 Security Advisory - CORS Misconfiguration in Dify System Features
CVE ID: CVE-2025-63388 Date: 2025-12-18 Vendor: LangGenius (Dify) Product: Dify Affected Versions: v1.9.1 Vulnerability Type: Insecure Permissions / CORS Misconfiguration Severity: Medium (Information Disclosure)
Cristliu
/ CVE-2025-63387-Disclosure.md
Created
December 18, 2025 07:26
CVE-2025-63387 Security Advisory - Unauthenticated Access in Dify
Cristliu
/ 00Publication_CVE-2025-56157-Disclosure.md
Last active
December 23, 2025 03:15
CVE-2025-56157 Security Advisory - Default Credentials in Dify
CVE ID: CVE-2025-56157 Date: 12/18/2025 Vendor: LangGenius (Dify) Product: Dify Affected Versions: <= v1.5.1 Vulnerability Type: Insecure Permissions / Default Credentials Severity: High (Remote Code Execution, Privilege Escalation, Information Disclosure)
Cristliu
/ gist:7e08f8422b71c7c6cca02f2c8ad4c95e
Last active
September 30, 2025 17:56
Dify Platform PostgreSQL Default Credentials Vulnerability
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Vulnerability Overview | |
| Vendor: Dify (langgenius/dify) | |
| Product: Dify - Open-source LLM application development platform | |
| Affected Versions: <= v1.9.1 | |
| Vulnerability Type: CWE-798 (Use of Hard-coded Credentials) | |
| 1. Attack Type: | |
| Remote | |
| Local (for internal environments with exposed services) |