CVE-2025-48187 Information

Description

RAGFlow through 0.18.1 allows account takeover because it is possible to conduct successful brute-force attacks against email verification codes to perform arbitrary account registration login and password reset. Codes are six digits and there is no rate limiting.

Reference

https://github.com/infiniflow/ragflow/commits/main/ https://www.cnblogs.com/qiushuo/p/18881084