CVE-2026-13509
MEDIUMRAGapp Knowledge File files.py FileHandler.remove_file path traversal
Title source: cnaDescription
A vulnerability has been found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance.
References (7)
Core 7
Core References
Product product
https://github.com/ragapp/ragapp/
Vdb Entry, Technical Description vdb-entry
technical-description
VDB-374517 | RAGapp Knowledge File files.py FileHandler.remove_file path traversal
https://vuldb.com/vuln/374517
Signature, Permissions Required signature
permissions-required
VDB-374517 | CTI Indicators (IOB, IOC, TTP, IOA)
https://vuldb.com/vuln/374517/cti
Third Party Advisory third-party-advisory
CVE-2026-13509 | CVE Analysis and Report
https://vuldb.com/cve/CVE-2026-13509
Third Party Advisory third-party-advisory
Submit #838838 | RAGapp ragapp 0.1.5 and earlier; verified on commit f7f88892a92c110853dfa019f2c4a605a4a7b6f5 CWE-22 Improper Limitation of a Pathname to a Restricted Directo
https://vuldb.com/submit/838838
Exploit exploit
issue-tracking
https://github.com/ragapp/ragapp/issues/293
Patch issue-tracking
patch
https://github.com/ragapp/ragapp/pull/294
Scores
CVSS v3
6.3
EPSS
0.0029
EPSS Percentile
21.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
Status
published
Products (6)
None/RAGapp
0.1.0
None/RAGapp
0.1.1
None/RAGapp
0.1.2
None/RAGapp
0.1.3
None/RAGapp
0.1.4
None/RAGapp
0.1.5
Published
Jun 28, 2026
Tracked Since
Jun 29, 2026