Nixpkgs security tracker

Login with GitHub
⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestions search

Untriaged
Filter by:
With package: gomodifytags

Found 6 matching suggestions

View:
Compact
Detailed
Permalink CVE-2026-6619
3.5 LOW
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 5 days, 13 hours ago Activity log
  • Created suggestion 5 days, 13 hours ago
langgenius dify ImagePreview image-preview.tsx openInNewTab cross site scripting

A vulnerability has been found in langgenius dify up to 1.13.3. Impacted is the function openInNewTab of the file web/app/components/base/image-uploader/image-preview.tsx of the component ImagePreview. The manipulation of the argument filename leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

dify
  • ==1.13.3
  • ==1.13.1
  • ==1.13.2
  • ==1.13.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-34082
created 5 days, 13 hours ago Activity log
  • Created suggestion 5 days, 13 hours ago
Dify has IDOR in deleting someone else's chat conversation

Dify is an open-source LLM app development platform. Prior to 1.13.1, the method `DELETE /console/api/installed-apps/<appId>/conversations/<conversationId>` has poor authorization checking and allows any Dify-authenticated user to delete someone else's chat history. Version 1.13.1 patches the issue.

Affected products

dify
  • ==< 1.13.1

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-6617
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 5 days, 13 hours ago Activity log
  • Created suggestion 5 days, 13 hours ago
langgenius dify ApiToolManageService api_tools_manage_service.py get_api_tool_provider_remote_schema server-side request forgery

A vulnerability was detected in langgenius dify up to 0.6.9. This vulnerability affects the function get_api_tool_provider_remote_schema of the file api/services/tools/api_tools_manage_service.py of the component ApiToolManageService. Performing a manipulation of the argument url results in server-side request forgery. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

dify
  • ==0.6.2
  • ==0.6.4
  • ==0.6.3
  • ==0.6.7
  • ==0.6.8
  • ==0.6.1
  • ==0.6.0
  • ==0.6.9
  • ==0.6.6
  • ==0.6.5

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-6618
6.3 MEDIUM
  • CVSS version: 3.1
  • Attack vector (AV):
  • Attack complexity (AC):
  • Privileges required (PR):
  • User interaction (UI):
  • Scope (S):
  • Confidentiality impact (C):
  • Integrity impact (I):
  • Availability impact (A):
created 5 days, 13 hours ago Activity log
  • Created suggestion 5 days, 13 hours ago
langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse_openai_plugin_json_to_tool_bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected products

dify
  • ==1.13.3
  • ==1.13.1
  • ==1.13.2
  • ==1.13.0

Matching in nixpkgs

Package maintainers

Permalink CVE-2026-21866
created 1 month, 3 weeks ago Activity log
  • Created suggestion 1 month, 3 weeks ago
Dify - Stored XSS in chat

Dify is an open-source LLM app development platform. Prior to 1.11.2, Dify is vulnerable to a stored XSS issue when rendering Mermaid diagrams within chats. This occurs because Dify’s default Mermaid configuration uses securityLevel: loose, which allows potentially unsafe content to execute. This vulnerability is fixed in 1.11.2.

Affected products

dify
  • ==< 1.11.2

Matching in nixpkgs

pkgs.hiddify-app

Multi-platform auto-proxy client, supporting Sing-box, X-ray, TUIC, Hysteria, Reality, Trojan, SSH etc

Package maintainers

Permalink CVE-2026-28288
created 1 month, 4 weeks ago Activity log
  • Created suggestion 1 month, 4 weeks ago
Dify has a user enumeration issue

Dify is an open-source LLM app development platform. Prior to 1.9.0, responses from the Dify API to existing and non-existent accounts differ, allowing an attacker to enumerate email addresses registered with Dify. Version 1.9.0 fixes the issue.

Affected products

dify
  • ==< 1.9.0

Matching in nixpkgs

pkgs.hiddify-app

Multi-platform auto-proxy client, supporting Sing-box, X-ray, TUIC, Hysteria, Reality, Trojan, SSH etc

Package maintainers