Medium severity6.1NVD Advisory· Published Jul 22, 2025· Updated Jun 17, 2026
CVE-2025-51462
CVE-2025-51462
Description
Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <0.17.2
Patches
Vulnerability mechanics
References
2- github.com/infiniflow/ragflow/pull/7250nvdExploitIssue Tracking
- www.gecko.security/blog/cve-2025-51462nvdExploitThird Party Advisory
News mentions
0No linked articles in our index yet.