CVE-2025-51462

Name of the Vulnerable Software and Affected Versions RAGFlow version 0.17.2

Description A stored Cross-site Scripting (XSS) issue exists in the api.apps.dialog app.set dialog function. This allows remote attackers to execute arbitrary JavaScript code through crafted input to the assistant greeting field. The input is stored without sanitization and rendered using a markdown component with rehype-raw.

Recommendations Update to a newer version that contains a fix for this issue. As a temporary workaround, consider sanitizing the assistant greeting input before storing it.