Home/Product/infiniflow ragflow
Product

infiniflow ragflow

16 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-28797
<= 0.24.0
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Inject
8.8HIGH
 CVE-2026-24770
<= 0.23.1
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU
9.8CRITICAL
 CVE-2025-69286
< 0.22.0
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key gen
9.8CRITICAL
 CVE-2025-68700
< 0.23.0
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated
8.8HIGH
 CVE-2025-51462
all versions
Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to exe
6.1MEDIUM
 CVE-2025-48187
<= 0.18.1
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email veri
9.1CRITICAL
 CVE-2024-12880
all versions
A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The i
6.5MEDIUM
 CVE-2024-12871
all versions
An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base.
5.4MEDIUM
 CVE-2024-12869
all versions
In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's
4.3MEDIUM
 CVE-2024-12779
all versions
A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in th
7.5HIGH
 CVE-2024-12450
all versions
In infiniflow/ragflow versions 0.12.0, the web_crawl function in document_app.py contains multiple vulnerabilities. The functi
9.8CRITICAL
 CVE-2024-12433
>= 0.12.0 and < 0.14.0
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-cod
9.8CRITICAL
 CVE-2025-27135
<= 0.15.1
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection.
9.8CRITICAL
 CVE-2025-25282
>= 0.13.0 and < 0.14.1
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user
8.1HIGH
 CVE-2024-53450
all versions
RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.
7.5HIGH
 CVE-2024-10131
all versions
The add_llm function in llm_app.py in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability.
8.8HIGH
SOC and Response
CVE triage
Stack monitoring
Am I affected
IOC triage
KEV catalog
Recently exploited
Daily brief
Change tracking
Detection Engineering
Coverage workspace
Detection coverage
Coverage check
Telemetry ceiling
SIEM query builder
Sigma rules
SIEM rules
YARA rules
Network rules
D3FEND
Threat Hunting
Threat actors
ATT&CK techniques
Attack paths
Indicators
Atomic tests
Red Team and Pentest
Exploitability triage
Recon pack
Attack paths
CAPEC patterns
Adversary emulation
Compliance and GRC
Framework mapping
Control assessment
Audit view
Coverage report
Atlas Search Threat actors Techniques Tools & malware CWE CAPEC KEV catalog Package vulns
About All capabilities Pricing API docs Live status Privacy policy Terms of service
threatengine.sh