CVE-2026-13509 | A vulnerability has been found in RAGapp up to 0.1.5. Affect… | CVSS 6.3 MEDIUM

Description

A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.

Metadata

CVE ID: CVE-2026-13509
State: PUBLISHED
Assigner: VulDB
Reserved: 2026-06-28 06:23 UTC
Published: 2026-06-28 22:00 UTC
Last updated: 2026-06-28 22:00 UTC
Primary CWE: CWE-22
Path Traversal
Vendor / Product: n/a / RAGapp
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

Affected products (1)

Vendor	Product	Platform	Versions
n/a	RAGapp	—	0.1.0, 0.1.1, 0.1.2, 0.1.3 …

Weakness (CWE)

CWE	Source	Description
CWE-22	cna	Path Traversal

CVSS scores (4)

Score	Severity	Version	Source	Vector
6.5	N/D	2.0	cna	AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR
6.3	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
6.3	MEDIUM	3.0	cna	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R
5.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

References (7)

VDB-374517 | RAGapp Knowledge File files.py FileHandler.remove_file path traversal https://vuldb.com/vuln/374517
VDB-374517 | CTI Indicators (IOB, IOC, TTP, IOA) https://vuldb.com/vuln/374517/cti
CVE-2026-13509 | CVE Analysis and Report https://vuldb.com/cve/CVE-2026-13509
Submit #838838 | RAGapp ragapp 0.1.5 and earlier; verified on commit f7f88892a92c110853dfa019f2c4a605a4a7b6f5 CWE-22 Improper Limitation of a Pathname to a Restricted Directo https://vuldb.com/submit/838838
https://github.com/ragapp/ragapp/issues/293
https://github.com/ragapp/ragapp/pull/294
https://github.com/ragapp/ragapp/