RCE in Infiniflow Ragflow

CVE-2026-28797

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message com…

Vulnerability class: Drupalgeddon 2 (CVE-2018-7600)

EPSS: 0.001 (27.5th percentile) — read the EPSS interpretation.