132 matches found
CVE-2025-68700
RAGFlow (pre-0.23.0) is affected by a Remote Code Execution vulnerability. An authenticated, low-privilege user can cause arbitrary commands on the server host via the frontend Canvas CodeExec component because untrusted stdout is parsed with eval() without filtering or sandboxing. This design fl...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow versions prior to 0.22.0 that stems from the use of insecure key generation algorithms during API key and beta token generation, which could lead to...
RAGFlow 安全漏洞
RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow open source. A security vulnerability exists in RAGFlow versions prior to 0.23.0, which stems from the front-end Canvas CodeExec component using eval to parse untrusted data without filtering or sandboxing,...
PT-2025-54459
Name of the Vulnerable Software and Affected Versions RAGFlow versions prior to 0.23.0 Description RAGFlow is a Retrieval-Augmented Generation engine susceptible to arbitrary system command execution. A low-privileged authenticated user can execute commands on the server host process through the...
PT-2025-54469
Name of the Vulnerable Software and Affected Versions RAGFlow versions prior to 0.22.0 Description RAGFlow is a Retrieval-Augmented Generation engine. Versions prior to 0.22.0 utilize an insecure key generation algorithm when creating API keys and beta tokens assistant/agent share auth. This allo...
EUVD-2025-7013
Malicious code in bioql PyPI...
EUVD-2025-22375
Malicious code in bioql PyPI...
EUVD-2025-6997
Malicious code in bioql PyPI...
EUVD-2025-15586
Malicious code in bioql PyPI...
EUVD-2025-6990
Malicious code in bioql PyPI...
EUVD-2024-51969
Malicious code in bioql PyPI...
EUVD-2025-5080
Malicious code in bioql PyPI...
EUVD-2025-7015
Malicious code in bioql PyPI...
EUVD-2025-6989
Malicious code in bioql PyPI...
CVE-2025-51462
Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...
CVE-2025-51462
Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...
RAGFlow 跨站脚本漏洞
RAGFlow is an open source RAG engine based on deep document understanding by InfiniFlow open source. A security vulnerability exists in RAGFlow version 0.17.2, which stems from a stored cross-site scripting vulnerability in api.apps.dialogapp.setdialog that could lead to the execution of arbitrar...
CVE-2025-51462
Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...
CVE-2025-51462
CVE-2025-51462 describes a stored XSS in RAGFlow 0.17.2, via api.apps.dialog_app.set_dialog: crafted input to the assistant greeting field is stored unsanitised and rendered by a markdown component with rehype-raw, enabling execution of arbitrary JavaScript. The vulnerability affects RAGFlow 0.17...
CVE-2025-51462
Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...