CVE-2025-56520

MEDIUM EXPLOITED NUCLEI

Dify - SSRF

Title source: rule

Description

Dify v1.6.0 was discovered to contain a Server-Side Request Forgery (SSRF) via the component controllers.console.remote_files.RemoteFileUploadApi. A different vulnerability than CVE-2025-29720.

Exploits (1)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/Dify-CVE-2025-56520-SSRF.py

View Code ZIP pw:eip

Nuclei Templates (1)

Dify v1.6.0 - Server-Side Request Forgery

HIGHVERIFIEDby 0x_Akoko

Shodan: http.title:"Dify"

FOFA: title="Dify"

References (1)

[Exploit, Issue Tracking] https://github.com/langgenius/dify/issues/22532

Scores

CVSS v3 5.3

EPSS 0.0013

EPSS Percentile 32.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Details

VulnCheck KEV 2026-02-11

CWE

CWE-918

Status published

Products (1)

dify/dify 1.6.0

Published Sep 30, 2025

Tracked Since Feb 18, 2026