CVE-2025-27135

High CVSS: 8.9

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

Vendor

Infiniflow

Product

Ragflow

CWE

CWE-89

Yayın Tarihi

2025-02-25 19:15:15

Güncelleme

2025-04-22 12:57:00

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-89 Ragflow HIGH Infiniflow 2025

Referanslar

https://github.com/infiniflow/ragflow/blob/v0.15.1/agent/component/exesql.py https://github.com/infiniflow/ragflow/security/advisories/GHSA-3gqj-66qm-25jq https://swizzky.notion.site/ragflow-exesql-150ca6df7c03806989cefde915cf8e42?pvs=4 https://swizzky.notion.site/ragflow-exesql-150ca6df7c03806989cefde915cf8e42

Benzer Kayıtlar

Critical

CVE-2026-24770

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions,…

High

CVE-2025-68700

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged aut…

High

CVE-2025-69286

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecu…

Medium

CVE-2025-51462

Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attack…

Critical

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against…

Medium

CVE-2024-12869

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot…