CVE-2025-51462

Medium CVSS: 6.1

Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw.

Vendor

Infiniflow

Product

Ragflow

CWE

CWE-79

Yayın Tarihi

2025-07-22 21:15:44

Güncelleme

2025-10-09 16:02:10

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-79 Ragflow MEDIUM Infiniflow 2025

Referanslar

https://github.com/infiniflow/ragflow https://github.com/infiniflow/ragflow/pull/7250 https://www.gecko.security/blog/cve-2025-51462

Benzer Kayıtlar

Critical

CVE-2026-24770

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions,…

High

CVE-2025-68700

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.23.0, a low-privileged aut…

High

CVE-2025-69286

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions prior to 0.22.0, the use of an insecu…

Critical

CVE-2025-48187

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against…

Medium

CVE-2024-12869

In infiniflow/ragflow version v0.12.0, there is an improper authentication vulnerability that allows a user to view anot…

Medium

CVE-2024-12871

An XSS vulnerability in infiniflow/ragflow version 0.12.0 allows an attacker to upload a malicious PDF file to the knowl…