Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-accessible API requires low-privilege authentication; path traversal yields limited read, write, and delete access, no scope change beyond the application process.
Primary rating from Vendor (vuldb).
CVSS VectorVendor: vuldb
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
AnalysisAI
Path traversal in RAGapp's Knowledge File Handler (versions up to 0.1.5) allows authenticated low-privilege users to read, write, or delete files outside the intended data/ directory by supplying crafted filenames containing sequences such as '../' to the upload or remove file API endpoints. The vulnerability exists in the FileHandler.upload_file and FileHandler.remove_file functions in src/ragapp/backend/controllers/files.py, where client-supplied filenames were interpolated directly into file paths without sanitization. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session with low-privilege access to the RAGapp management API - PR:L per CVSS 4.0 vector confirms authentication is required but no elevated admin role is necessary. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N) with threat metric E:P yields a score of 2.1, reflecting limited CIA impact and a low-privilege authentication requirement. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated RAGapp user with low-privilege access crafts a multipart file upload HTTP request where the filename field contains a path traversal sequence such as '../../app_config.env', targeting the /management/files upload endpoint. The server, running vulnerable code that constructs the path as f'data/{file_name}', writes the uploaded content to the application root or parent directory rather than the intended data/ subdirectory. … |
| Remediation | No vendor-released patched version is available at time of analysis - the fix exists only as unmerged PR #294 at https://github.com/ragapp/ragapp/pull/294, which awaits acceptance. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40006
GHSA-284m-435q-x4gm