All 7 CVE vulnerabilities found in ragflow, with AI-generated Chinese analysis, references, and POCs.
Vendor: infiniflow
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-28797 | RAGFlow: Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) in Agent "Text Processing" Component CWE-20 | 8.8AI | HighAI | 2026-04-03 |
| CVE-2026-24770 | RAGFlow Affected by Zip Slip Remote Code Execution (RCE) in MinerUParser CWE-22 | 9.8 | Critical | 2026-01-27 |
| CVE-2025-69286 | RAGFlow has Predictable Token Generation Leading to Authentication Bypass Vulnerability CWE-340 | 9.8 | - | 2025-12-31 |
| CVE-2025-68700 | RAGFlow Remote Code Execution Vulnerability CWE-78 | 9.9 | - | 2025-12-31 |
| CVE-2025-48187 | RAGFlow 安全漏洞 CWE-307 | 9.1 | Critical | 2025-05-17 |
| CVE-2025-27135 | RAGFlow SQL Injection vulnerability CWE-89 | 9.8 | - | 2025-02-25 |
| CVE-2025-25282 | Potential Insecure Direct Object Reference (IDOR) vulnerability in ragflow CWE-639 | 7.1 | - | 2025-02-21 |
All 7 known CVE vulnerabilities affecting ragflow with full Chinese analysis, references, and POCs where available.