Nixpkgs security tracker
Untriaged
Permalink
CVE-2026-6618
6.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV):
- Attack complexity (AC):
- Privileges required (PR):
- User interaction (UI):
- Scope (S):
- Confidentiality impact (C):
- Integrity impact (I):
- Availability impact (A):
Activity log
- Created suggestion
langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery
A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
-
-
Submit #792241 | LangGenius Dify <= v1.13.3 Server-Side Request Forgery (CWE-918) third-party-advisory
Affected products
dify
- ==1.13.3
- ==1.13.1
- ==1.13.2
- ==1.13.0
Matching in nixpkgs
pkgs.speedify
Use multiple internet connections in parallel
-
nixos-unstable 15.8.2-12611
- nixpkgs-unstable 15.8.2-12611
- nixos-unstable-small 15.8.2-12611
-
nixos-25.11 15.8.2-12611
- nixos-25.11-small 15.8.2-12611
- nixpkgs-25.11-darwin 15.8.2-12611
Package maintainers
-
@vdemeester Vincent Demeester <vincent@sbr.pm>
-
@zahrun Zahrun <zahrun@murena.io>