Every CVE whose affected-product data names Infiniflow Ragflow, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (16)
CVE-2025-27135 — CVSS 9.8 (critical): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The…
CVE-2024-12433 — CVSS 9.8 (critical): A vulnerability in infiniflow/ragflow versions v0.12.0 allows for remote code execution. The RPC server in RagFlow uses a hard-coded…
CVE-2024-12450 — CVSS 9.8 (critical): In infiniflow/ragflow versions 0.12.0, the `web_crawl` function in `document_app.py` contains multiple vulnerabilities. The function does…
CVE-2026-24770 — CVSS 9.8 (critical): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser…
CVE-2025-69286 — CVSS 9.8 (critical): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecure key generation…
CVE-2025-48187 — CVSS 9.1 (critical): RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification…
CVE-2024-10131 — CVSS 8.8 (high): The `add_llm` function in `llm_app.py` in infiniflow/ragflow version 0.11.0 contains a remote code execution (RCE) vulnerability. The…
CVE-2025-68700 — CVSS 8.8 (high): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged authenticated user…
CVE-2026-28797 — CVSS 8.8 (high): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection…
CVE-2025-25282 — CVSS 8.1 (high): RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding. An authenticated user can…
CVE-2024-12779 — CVSS 7.5 (high): A Server-Side Request Forgery (SSRF) vulnerability exists in infiniflow/ragflow version 0.12.0. The vulnerability is present in the `POST…
CVE-2024-53450 — CVSS 7.5 (high): RAGFlow 0.13.0 suffers from improper access control in document-hooks.ts, allowing unauthorized access to user documents.
CVE-2024-12880 — CVSS 6.5 (medium): A vulnerability in infiniflow/ragflow version RAGFlow-0.13.0 allows for partial account takeover via insecure data querying. The issue…
CVE-2025-51462 — CVSS 6.1 (medium): Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute…
CVE-2024-12871 — CVSS 5.4 (medium): An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowledge base. When the…
CVE-2024-12869 — CVSS 4.3 (medium): In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view another user's invite…