OSS
RAGFlow: Open-Source RAG Engine Reaches 77K Stars But Faces Critical SSTI Vulnerability
RAGFlow (77,139 stars) continues its trajectory as a leading open-source RAG engine fusing retrieval-augmented generation with agent capabilities. However, CVE-2026-28797 disclosed a Server-Side Template Injection vulnerability in versions 0.24.0 and prior, allowing authenticated users to execute arbitrary OS commands via Agent workflow Text Processing and Message components. For builders: update immediately if running RAGFlow in production, and audit agent workflow inputs.
Source
↳ Follow the thread