CVE-2026-28797 in ragflowinfo

Zusammenfassung (Englisch)

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Zuständig

GitHub_M

Reservieren

03.03.2026

Veröffentlichung

04.04.2026

Status

Bestätigt

Einträge

VulDB provides additional information and datapoints for this CVE:

IDSchwachstelleCWEAusMasCVE
355262infiniflow ragflow Text erweiterte Rechte1336Nicht definiertNicht definiertCVE-2026-28797

Beschreibung

CPE

CWE

CVSS

Exploits

History

Diff

Verknüpfen

Threat Intelligence

API JSON

API XML

API CSV

Quellen

ZurückÜbersichtWeiter

Do you need the next level of professionalism?

Upgrade your account now!