CVE-2024-12433
- EPSS 2.14%
- Veröffentlicht 20.03.2025 10:10:08
- Zuletzt bearbeitet 14.07.2025 17:53:11
A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded AuthKey 'authkey=b'infiniflow-token4kevinhu'' which can be easily fetched by attackers to join the group communicatio...
CVE-2024-12880
- EPSS 0.08%
- Veröffentlicht 20.03.2025 10:09:37
- Zuletzt bearbeitet 15.10.2025 13:15:41
A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue arises from the way tenant IDs are handled in the application. If a user has access to multiple tenants, they can m...
CVE-2025-27135
- EPSS 0.27%
- Veröffentlicht 25.02.2025 19:15:15
- Zuletzt bearbeitet 22.04.2025 12:57:00
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time o...
CVE-2025-25282
- EPSS 0.14%
- Veröffentlicht 21.02.2025 21:15:23
- Zuletzt bearbeitet 16.07.2025 14:24:03
RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can exploit the Insecure Direct Object Reference (IDOR) vulnerability that may lead to unauthorized cross-tenant access ...
CVE-2024-53450
- EPSS 0.34%
- Veröffentlicht 09.12.2024 17:15:09
- Zuletzt bearbeitet 10.07.2025 22:34:47
RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.
CVE-2024-10131
- EPSS 2.21%
- Veröffentlicht 19.10.2024 04:15:05
- Zuletzt bearbeitet 15.10.2025 13:15:34
The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The function uses user-supplied input `req['llm_factory']` and `req['llm_name']` to dynamically instantiate classes from...