📦 Ragflow
by Infiniflow
🔍 What is Ragflow?
Description coming soon...
🛡️ Security Overview
Click on a severity to filter vulnerabilities
⚠️ Known Vulnerabilities
CVE-2026-24770 is a critical Zip Slip vulnerability in RAGFlow's MinerU parser that allows attackers to overwrite arbitrary files on the server via malicious ZIP archives, potentially leading to remot...
CVE-2025-69286 is a critical authentication bypass vulnerability in RAGFlow where API keys and beta tokens are generated using the same insecure algorithm with predictable inputs. An attacker who obta...
CVE-2025-48187 allows attackers to brute-force 6-digit email verification codes in RAGFlow to register accounts, log in, or reset passwords without rate limiting. This enables complete account takeove...
This CVE allows remote attackers to execute arbitrary code on systems running vulnerable versions of infiniflow/ragflow. Attackers can bypass authentication using a hard-coded secret key and exploit i...
CVE-2025-27135 is a critical SQL injection vulnerability in RAGFlow's ExeSQL component that allows attackers to execute arbitrary SQL commands on the database. This affects all deployments running RAG...
CVE-2025-68700 is a critical remote code execution vulnerability in RAGFlow where authenticated low-privilege users can execute arbitrary system commands on the server. This occurs due to improper use...
This SSRF vulnerability in infiniflow/ragflow version 0.12.0 allows attackers to make the server send requests to arbitrary URLs, potentially accessing internal web resources. Attackers can exploit th...
CVE-2025-25282 is an Insecure Direct Object Reference (IDOR) vulnerability in RAGFlow that allows authenticated users to access and modify other tenants' user accounts. This enables unauthorized cross...
RAGFlow 0.13.0 has an improper access control vulnerability in document-hooks.ts that allows unauthenticated attackers to access user documents. This affects all deployments running the vulnerable ver...
This CVE describes a remote code execution vulnerability in the add_llm function of infiniflow/ragflow version 0.11.0. Attackers can exploit user-controlled input parameters to execute arbitrary code ...
This Cross-Site Scripting (XSS) vulnerability in infiniflow/ragflow version 0.12.0 allows attackers to upload malicious PDF files that execute JavaScript when viewed. This affects all users of vulnera...
This vulnerability in infiniflow/ragflow v0.12.0 allows authenticated users to view other users' invite lists without proper authorization. This exposes personal information like email addresses and u...