CVE-2025-27135

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...

CVE-2025-27135

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...

CVE-2025-27135 RAGFlow SQL Injection vulnerability

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...

CVE-2025-27135 RAGFlow SQL Injection vulnerability

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...

CVE-2025-27135 RAGFlow SQL Injection vulnerability

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...

RAGFlow SQL注入漏洞

RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A SQL injection vulnerability exists in RAGFlow version 0.15.1 and prior versions, which stems from the ExeSQL component extracting SQL statements from input and sending them directly to a...

PT-2025-7904 · Ragflow · Ragflow

Name of the Vulnerable Software and Affected Versions: RAGFlow versions 0.15.1 and prior Description: RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query, making it vulnerab...

CVE-2025-25282

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...

CVE-2025-25282 Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...

CVE-2025-25282 Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...

CVE-2025-25282 Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...

CVE-2025-25282

CVE-2025-25282 pertains to RAGFlow, an open-source RAG engine. An authenticated user can exploit an Insecure Direct Object Reference (IDOR) vulnerability that enables unauthorized cross-tenant access, including listing tenant user accounts and adding users to other tenants. Affected behavior cent...

RAGFlow 安全漏洞

RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow that stems from an insecure direct object reference that results in unauthorized cross-tenant access...

PT-2025-7554 · Ragflow · Ragflow

Name of the Vulnerable Software and Affected Versions: RAGFlow versions /user/list" and "POST //user". Recommendations: For RAGFlow versions /user/list" and "POST //user", to minimize the risk of exploitation...

CVE-2024-10131

The addllm function in llmapp.py in infiniflow/ragflow version 0.11.0 contains a remote code execution RCE vulnerability. The function uses user-supplied input req'llmfactory' and req'llmname' to dynamically instantiate classes from various model dictionaries. This approach allows an attacker to...

CVE-2024-53450

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents...

CVE-2024-53450

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents...

CVE-2024-53450

RAGFlow 0.13.0 is affected by improper access control in document-hooks.ts, enabling unauthorized access to user documents. The issue is documented across multiple feeds (Red Hat, NVD, OSV, CNNVD, etc.) with no explicit attacker/vector details provided in the core CVE entry, but the root cause is...

CVE-2024-53450

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents...

CVE-2024-53450

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents...