Lucene search
+L

136 matches found

Cvelist
Cvelist
added 2025/07/22 12:0 a.m.16 views

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

0.00285EPSS
Exploits1References3
CNNVD
CNNVD
added 2025/07/22 12:0 a.m.5 views

RAGFlow 跨站脚本漏洞

RAGFlow is an open source RAG engine based on deep document understanding by InfiniFlow open source. A security vulnerability exists in RAGFlow version 0.17.2, which stems from a stored cross-site scripting vulnerability in api.apps.dialogapp.setdialog that could lead to the execution of arbitrar...

6.1CVSS6.1AI score0.00285EPSS
Exploits1References5
Vulnrichment
Vulnrichment
added 2025/07/22 12:0 a.m.6 views

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

6.2AI score0.00285EPSS
Exploits1References3
Positive Technologies
Positive Technologies
added 2025/07/22 12:0 a.m.5 views

PT-2025-30456 · Ragflow · Ragflow

Name of the Vulnerable Software and Affected Versions: RAGFlow version 0.17.2 Description: A stored Cross-site Scripting XSS issue exists in the api.apps.dialog app.set dialog function. This allows remote attackers to execute arbitrary JavaScript code through crafted input to the assistant greeti...

6.1CVSS6.1AI score0.00285EPSS
Exploits1References6
CVE
CVE
added 2025/07/22 12:0 a.m.25 views

CVE-2025-51462

CVE-2025-51462 describes a stored XSS in RAGFlow 0.17.2, via api.apps.dialog_app.set_dialog: crafted input to the assistant greeting field is stored unsanitised and rendered by a markdown component with rehype-raw, enabling execution of arbitrary JavaScript. The vulnerability affects RAGFlow 0.17...

6.1CVSS6.2AI score0.00285EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2025/07/22 12:0 a.m.5 views

CVE-2025-51462

Stored Cross-site Scripting XSS vulnerability in api.apps.dialogapp.setdialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw...

6.1CVSS6.3AI score0.00285EPSS
Exploits1References5
RedhatCVE
RedhatCVE
added 2025/05/23 7:15 a.m.8 views

CVE-2024-53450

RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents...

7.5CVSS6.9AI score0.00531EPSS
Exploits1References1
NVD
NVD
added 2025/05/17 1:15 p.m.20 views

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting...

9.8CVSS0.00492EPSS
Exploits1References2
OSV
OSV
added 2025/05/17 1:15 p.m.4 views

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting...

9.8CVSS5.9AI score0.00492EPSS
Exploits1References2
Positive Technologies
Positive Technologies
added 2025/05/17 12:0 a.m.6 views

PT-2025-21792 · Ragflow · Ragflow

Name of the Vulnerable Software and Affected Versions: RAGFlow versions 0.18.1 and earlier Description: The issue allows account takeover due to the possibility of conducting successful brute-force attacks against email verification codes. This enables arbitrary account registration, login, and...

9.8CVSS6.9AI score0.00492EPSS
Exploits1References11
Vulnrichment
Vulnrichment
added 2025/05/17 12:0 a.m.6 views

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting...

9.1CVSS9.4AI score0.00492EPSS
Exploits1References2
CNNVD
CNNVD
added 2025/05/17 12:0 a.m.5 views

RAGFlow 安全漏洞

RAGFlow is an open source RAG engine based on deep document understanding from InfiniFlow Open Source. A security vulnerability exists in RAGFlow version 0.18.1 and earlier, which stems from a brute force attack could lead to account takeover...

9.8CVSS6.5AI score0.00492EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/03/22 1:18 p.m.13 views

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or...

5.4CVSS6.2AI score0.00359EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/03/22 1:13 p.m.18 views

CVE-2024-12779

A Server-Side Request Forgery SSRF vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the POST /v1/llm/addllm and POST /v1/conversation/tts endpoints. Attackers can specify an arbitrary URL as the apibase when adding an OPENAITTS model, and subsequently...

7.5CVSS7AI score0.0061EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/03/22 1:12 p.m.18 views

CVE-2024-12450

In infiniflow/ragflow versions 0.12.0, the webcrawl function in documentapp.py contains multiple vulnerabilities. The function does not filter URL parameters, allowing attackers to exploit Full Read SSRF by accessing internal network addresses and viewing their content through the generated PDF...

9.8CVSS7.6AI score0.01211EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/03/22 12:27 p.m.9 views

CVE-2024-12880

A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipulate their tenant access to query and acce...

8.1CVSS6.7AI score0.00641EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2025/03/22 12:24 p.m.7 views

CVE-2024-12433

A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communication without restrictions. Additionally, the serve...

9.8CVSS7.6AI score0.01549EPSS
Exploits1References1
NVD
NVD
added 2025/03/20 10:15 a.m.21 views

CVE-2024-12870

A stored cross-site scripting XSS vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch cec2080. The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' conten...

5.4CVSS0.00454EPSS
Exploits0References1
NVD
NVD
added 2025/03/20 10:15 a.m.10 views

CVE-2024-12880

A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can manipulate their tenant access to query and acce...

8.1CVSS0.00641EPSS
Exploits1References1
NVD
NVD
added 2025/03/20 10:15 a.m.11 views

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the file is viewed within Ragflow, the payload is executed in the context of the user's browser. This can lead to session hijacking, data exfiltration, or...

5.4CVSS0.00359EPSS
Exploits1References1
Rows per page
Query Builder