{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-12T03:32:52.182","vulnerabilities":[{"cve":{"id":"CVE-2024-12870","sourceIdentifier":"security@huntr.dev","published":"2025-03-20T10:15:31.210","lastModified":"2026-04-15T00:35:42.020","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"A stored cross-site scripting (XSS) vulnerability exists in infiniflow/ragflow, affecting the latest commit on the main branch (cec2080). The vulnerability allows an attacker to upload HTML/XML files that can host arbitrary JavaScript payloads. These files are served with the 'application/xml' content type, which is automatically rendered by browsers. This can lead to the execution of arbitrary JavaScript in the context of the user's browser, potentially allowing attackers to steal cookies and gain unauthorized access to user files and resources. The vulnerability does not require authentication, making it accessible to anyone with network access to the instance."},{"lang":"es","value":"Existe una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en infiniflow/ragflow, que afecta a la última confirmación de la rama principal (cec2080). Esta vulnerabilidad permite a un atacante cargar archivos HTML/XML que pueden alojar payloads de JavaScript arbitrarias. Estos archivos se entregan con el tipo de contenido 'application/xml', que los navegadores procesan automáticamente. Esto puede provocar la ejecución de JavaScript arbitrario en el contexto del navegador del usuario, lo que podría permitir a los atacantes robar cookies y obtener acceso no autorizado a los archivos y recursos del usuario. La vulnerabilidad no requiere autenticación, por lo que es accesible para cualquier persona con acceso a la red de la instancia."}],"metrics":{"cvssMetricV30":[{"source":"security@huntr.dev","type":"Secondary","cvssData":{"version":"3.0","vectorString":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"REQUIRED","scope":"CHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.3,"impactScore":2.7}]},"weaknesses":[{"source":"security@huntr.dev","type":"Secondary","description":[{"lang":"en","value":"CWE-79"}]}],"references":[{"url":"https://huntr.com/bounties/d6b497d2-5c95-4abc-8033-04b8068fed65","source":"security@huntr.dev"}]}}]}