Wangyihang

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In versions 0.24.0 and prior, a Server-Side Template Injection (SSTI) vulnerability exists in RAGFlow's Agent workflow Text Processing (StringTransform) and Message components. These components use Python's jinja2.Template (unsandboxed) to render user-supplied templates, allowing any authenticated user to execute arbitrary operating system commands on the server. At time of publication, there are no publicly available patches.

**Name of the Vulnerable Software and Affected Versions** Atheos versions prior to v600 **Description** Atheos is a self-hosted browser-based cloud IDE. The issue is related to the lack of proper validation of the `$path` and `$target` parameters across multiple components, allowing an attacker to read, modify, or execute arbitrary files on the server. This can be exploited through various attack vectors present in multiple PHP files. **Recommendations** For versions prior to v600, update to v600 to fix the issue. As a temporary workaround, consider restricting access to the vulnerable parameters `$path` and `$target` to minimize the risk of exploitation.