CVE-2025-27135 — CRITICAL (9.8)

Q: How severe is CVE-2025-27135?

CVE-2025-27135 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Q: Is there a patch for CVE-2025-27135?

Check the references section above for vendor advisories and patch information. Affected products include: Infiniflow Ragflow.

Vulnerability Description

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sends it directly to the database query. As of time of publication, no patched version is available.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Infiniflow	Ragflow	<= 0.15.1

Related Weaknesses (CWE)

CWE-89

References

FAQ

What is CVE-2025-27135?

CVE-2025-27135 is a vulnerability with a CVSS score of 9.8 (CRITICAL). RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. Versions 0.15.1 and prior are vulnerable to SQL injection. The ExeSQL component extracts the SQL statement from the input and sen...

How severe is CVE-2025-27135?

CVE-2025-27135 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2025-27135?

Check the references section above for vendor advisories and patch information. Affected products include: Infiniflow Ragflow.