CVE-2025-27135

Name of the Vulnerable Software and Affected Versions RAGFlow versions 0.15.1 and prior

Description RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query, making it vulnerable to SQL injection. As of the time of publication, no patched version is available.

Recommendations For versions 0.15.1 and prior, as a temporary workaround, consider restricting access to the ExeSQL component until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.