Stored Cross-Site Scripting in RAGFlow by Infiniflow
CVE-2026-58579
Key Information:
- Vendor
Infiniflow
- Status
- Vendor
- CVE Published:
- 2 July 2026
Badges
What is CVE-2026-58579?
RAGFlow versions prior to 0.26.3 are exposed to a stored cross-site scripting vulnerability due to insufficient sanitization of agent pipeline node names. The normalize_dsl function validates JSON serialization but does not sanitize the node name itself. This leads to scenarios where an authenticated user, capable of modifying or creating agents, can inject malicious JavaScript into the dataflow-result web UI. When another workspace member opens this UI, the injected script executes within their session, potentially leading to session hijacking and unauthorized account access.
Affected Version(s)
ragflow 0 < 0.26.3
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V4
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
Vulnerability published
Vulnerability Reserved
