CVE-2026-28797 in ragflowinformación

Resumen (Inglés)

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Responsable

GitHub_M

Reservar

2026-03-03

Divulgación

2026-04-04

Estado

Confirmado

Voces

VulDB provides additional information and datapoints for this CVE:

IDVulnerabilidadCWEExpConCVE
355262infiniflow ragflow Text escalada de privilegios1336No está definidoNo está definidoCVE-2026-28797

Descripción

CPE

CWE

CVSS

Hazañas

Historia

Diferencia

Relacionar

Inteligencia de amenazas

API JSON

API XML

API CSV

Fuentes

AnteriorVisión De ConjuntoPróximo

Interested in the pricing of exploits?

See the underground prices here!