Infiniflow Ragflow
8 CVEs affecting Infiniflow Ragflow. Latest disclosed: 2026-05-29. Critical: 3, High: 1.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-45312 | Critical | 9.9 | 2026-05-29 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In 0.24.0 and earlier, a Jinja2 template injection in the prompt generator (rag/prompts/… |
CVE-2026-24770 | Critical | 9.8 | 2026-01-27 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip"… |
CVE-2025-48187 | Critical | 9.1 | 2025-05-17 | RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arb… |
CVE-2025-25282 | High | 8.1 | 2025-02-21 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Dire… |
CVE-2026-28797 | | 2026-04-03 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exis… | |
CVE-2025-69286 | | 2025-12-31 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API… | |
CVE-2025-68700 | | 2025-12-31 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account)… | |
CVE-2025-27135 | | 2025-02-25 | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts… |