136 matches found
CVE-2024-12880 Partial Account Takeover due to Insecure Data Querying in infiniflow/ragflow
A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipulate their tenant access to query and acce...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow version 0.12.0, which stems from unvalidated PDF file content and could lead to a cross-site scripting attack...
PT-2025-12136 · Unknown +1 · Infiniflow/Ragflow +1
Name of the Vulnerable Software and Affected Versions: infiniflow/ragflow version 0.12.0 Description: The web crawl function in document app.py contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal networ...
RAGFlow 跨站脚本漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A cross-site scripting vulnerability exists in RAGFlow cec2080 version, which stems from unvalidated file content and could lead to a stored cross-site scripting attack...
RAGFlow 授权问题漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. An authorization issue vulnerability exists in RAGFlow version 0.13.0, which stems from not handling tenant IDs correctly and could lead to partial account takeover...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow version v0.12.0 that stems from not properly validating authentication, which could lead to a privacy breach...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow version 0.12.0 that originates from an unvalidated URL and could lead to a server-side request forgery attack...
RAGFlow 代码问题漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A code issue vulnerability exists in RAGFlow version v0.12.0, which stems from hard-coded AuthKey and pickle deserialization and could lead to remote code execution...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow version 0.12.0 that stems from unfiltered URL parameters and the use of an outdated version of Chromium, which could lead to full-read SSRF and remote...
CVE-2025-27135
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...
CVE-2025-27135
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...
CVE-2025-27135 RAGFlow SQL Injection vulnerability
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...
CVE-2025-27135 RAGFlow SQL Injection vulnerability
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...
CVE-2025-27135 RAGFlow SQL Injection vulnerability
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available...
PT-2025-7904 · Ragflow · Ragflow
Name of the Vulnerable Software and Affected Versions: RAGFlow versions 0.15.1 and prior Description: RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query, making it vulnerab...
RAGFlow SQL注入漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A SQL injection vulnerability exists in RAGFlow version 0.15.1 and prior versions, which stems from the ExeSQL component extracting SQL statements from input and sending them directly to a...
CVE-2025-25282
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...
CVE-2025-25282 Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...
CVE-2025-25282 Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...
CVE-2025-25282 Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow
RAGFlow is an open-source RAG Retrieval-Augmented Generation engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference IDOR vulnerability that may lead to unauthorized cross-tenant access list tenant user accounts, add user account into...