CVE-2025-49149 MEDIUM

CVE-2025-49149: Dify has XSS vulnerability

Vendor Langgenius

Product dify

Weakness CWE-79 · XSS

Published June 17, 2025

Last update June 18, 2025

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N

What the vulnerability does

01Description

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting (XSS) attack when a user browses these web pages. At time of posting, there is no known patched version.

Key dates

02Disclosure timeline

June 17, 2025 CVE published

June 18, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-49149 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2025-14893 IndieWeb <= 4.0.5 - Authenticated (Author+) Stored Cross-Site Scripting via 'Telephone' Parameter CVE-2025-15267 Bold Page Builder <= 5.5.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via bt_bb_accordion_item Shortcode CVE-2026-41539 QTS, QuTS hero CVE-2025-5490 Football Pool <= 2.12.4 - Authenticated (Administrator+) Stored Cross-Site Scripting CVE-2025-24535 WordPress SKT Donation plugin <= 1.9 - Reflected Cross Site Scripting (XSS) vulnerability