CVE-2025-48187

Critical CVSS: 9.1

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.

Vendor

Infiniflow

Product

Ragflow

CWE

CWE-307

Yayın Tarihi

2025-05-17 13:15:47

Güncelleme

2025-06-12 16:29:12

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-307 Ragflow CRITICAL Infiniflow 2025

Referanslar

https://github.com/infiniflow/ragflow/commits/main/ https://www.cnblogs.com/qiushuo/p/18881084 https://www.cnblogs.com/qiushuo/p/18881084

Benzer Kayıtlar

Critical

CVE-2026-24770

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions,…

High

CVE-2025-68700

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged aut…

High

CVE-2025-69286

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecu…

Medium

CVE-2025-51462

Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attack…

Medium

CVE-2024-12869

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot…

Medium

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowl…