What is CVE-2026-24770?

CVE-2026-24770 is a critical-severity vulnerability in Infiniflow Ragflow, classified under Path Traversal. CVSS score: 9.8/10. Published 2026-01-27.

How severe is CVE-2026-24770?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Path Traversal in Infiniflow Ragflow

CVE-2026-24770

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server…

Vulnerability class: Path Traversal (Directory Traversal)

EPSS: 0.011 (78.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Infiniflow Ragflow — versions <= 0.23.1

Weakness classification (CWE)

CWE-22 — Path Traversal

References

https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4 (x_refsource_CONFIRM)
https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f (x_refsource_MISC)

Frequently asked questions

What is CVE-2026-24770?: CVE-2026-24770 is a critical-severity vulnerability in Infiniflow Ragflow, classified under Path Traversal. CVSS score: 9.8/10. Published 2026-01-27.
How severe is CVE-2026-24770?: Critical severity. CVSS v3 base score is 9.8 out of 10.