Infiniflow: >> Ragflow >> 0.17.2 Security Vulnerabilities
Stored Cross-site Scripting (XSS) vulnerability in api.apps.dialog_app.set_dialog in RAGFlow 0.17.2 allows remote attackers to execute arbitrary JavaScript via crafted input to the assistant greeting field, which is stored unsanitised and rendered using a markdown component with rehype-raw.
CVSS Score
6.1
EPSS Score
0.001
Published
2025-07-22
RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration, login, and password reset. Codes are six digits and there is no rate limiting.
CVSS Score
9.1
EPSS Score
0.001
Published
2025-05-17