VYPR
Vendor

RAGFlow

Products
1
CVEs
5
Across products
5
Status
Private

Products

1

Recent CVEs

5
  • CVE-2024-53450HigDec 9, 2024
    risk 0.49cvss 7.5epss 0.01

    RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.

  • CVE-2026-24770Jan 27, 2026
    risk 0.00cvss epss 0.01

    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a "Zip Slip" vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a…

  • CVE-2025-69286Dec 31, 2025
    risk 0.00cvss epss 0.00

    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation algorithm in the API key and beta (assistant/agent share auth) token generation process allows these tokens to be mutually derivable.…

  • CVE-2025-68700Dec 31, 2025
    risk 0.00cvss epss 0.00

    RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user (normal login account) can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely…

  • CVE-2025-51462MedJul 22, 2025
    risk 0.00cvss 6.1epss 0.00

    Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with…