What happened
CVE-2026-58579 (CVSS 5.4 Medium) was published to NVD on 2 July 2026. RAGFlow before 0.26.3 stores agent pipeline DSL node names without HTML sanitisation. The agent update endpoint normalises the DSL for JSON validity but preserves node names verbatim. The dataflow result web UI then renders those names as raw HTML, creating a stored XSS condition confirmed in a GitHub issue (infiniflow/ragflow#16507).
Why it matters
RAGFlow is a widely used open-source enterprise RAG platform. A stored XSS in the agent pipeline UI allows an attacker with create/update pipeline access to execute arbitrary JavaScript in any other user's browser session — including admin sessions — enabling session hijacking, credential theft, or further lateral movement within the RAGFlow instance. In multi-tenant or team deployments, one compromised pipeline author can impact all users viewing agent results.
Attack vector
An authenticated user submits a crafted DSL via the agent update endpoint (PUT /v1/agents/<agent_id>). The normalize_dsl() handler performs only JSON structure validation and preserves node names verbatim. When any user views the dataflow result page, hooks.ts renders the node name as raw HTML, executing the injected script in their browser session.
Affected systems
RAGFlow (infiniflow/ragflow) < 0.26.3
Mitigation
Upgrade RAGFlow to version 0.26.3 or later. Patch commit: https://github.com/infiniflow/ragflow/commit/572f1ea9f4eba6a60e64f7437dee60aa1c0913f1