REPRO-2026-00086 UNKNOWN RCE Verified

RAGFlow MinerU parser Zip Slip allows arbitrary file overwrite and potential RCE via malicious ZIP archives.

ragflow (RAGFlow) (pip (per GitHub advisory)) Feb 13, 2026

Confidence HIGH

Reproduced in 8m 19s

Tool calls 112

Affected Versions prior to 0.23.1 (advisory text says 0.23.1 and possibly earlier; dbugs says prior to 0.23.1)

Fixed in 0.23.1 (ticket); GitHub advisory lists patched versions: none; patch commit 64c75d558e4a17a4a48953b4c201526431d8338f

What's the vulnerability?

RAGFlow MinerU parser Zip Slip allows arbitrary file overwrite and potential RCE via malicious ZIP archives.

Bypass and alternate trigger exploration (if present).

One Command

Run the Pruva CLI to automatically fetch and execute the reproduction script.

pruva-verify REPRO-2026-00086

or pruva-verify CVE-2026-24770

Install: curl -fsSL https://pruva.dev/install.sh | sh

curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00086/artifacts/repro/reproduction_steps.sh

chmod +x reproduction_steps.sh

./reproduction_steps.sh

Run in a VM, container, or disposable environment. This exploits a real vulnerability.

Watch the AI agent's step-by-step process.

Loading session...