Eric-G

#13054of 53,624
20.3Total CVSS
Vulnerabilities · 4
Low
1
Medium
3
PT-2026-41589
3.3
2026-05-17
Continue · Continue · CVE-2026-8770
**Name of the Vulnerable Software and Affected Versions** continuedev continue versions prior to 1.2.23 **Description** A path traversal issue exists in the JSON-RPC Server component within the `lsTool()` function of the `core/tools/implementations/lsTool.ts` file. This occurs when the `dirPath` argument is manipulated, allowing a local attacker to access files or directories outside the intended folder. **Recommendations** Update to a version later than 1.2.22. As a temporary workaround, restrict access to the `lsTool()` function to minimize the risk of exploitation.
PT-2026-33730
6.5
2026-04-20
Langgenius · Dify · CVE-2026-6617
**Name of the Vulnerable Software and Affected Versions** Langgenius Dify versions prior to 0.7.0 **Description** A server-side request forgery exists in the ApiToolManageService component. The issue occurs within the `get api tool provider remote schema()` function located in the 'api/services/tools/api tools manage service.py' file. A remote attacker can trigger this by manipulating the `url` argument. **Recommendations** Update to a version newer than 0.6.9. As a temporary workaround, restrict access to the `get api tool provider remote schema()` function until the update is applied.
PT-2026-33733
6.5
2026-04-20
Langgenius · Dify · CVE-2026-6618
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse openai plugin json to tool bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
PT-2026-33734
4.0
2026-04-20
Langgenius · Dify · CVE-2026-6619
A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.