CVE-2026-45312 | infiniflow RAGFlow up to 0.24.0 rag/prompts/generator.py special elements used in a template engine

RAGFlow (≤0.24.0) has a critical Jinja2 template injection vulnerability in rag/prompts/generator.py (CVE-2026-45312) enabling authenticated — including self-registered — users to execute arbitrary OS commands remotely; technical details are known and exploitation appears easy, but no public exploit is available as of 05/29/2026.