A vulnerability, which was classified as critical , was found in RAGapp up to 0.1.5 . Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler . Such manipulation leads to path traversal. This vulnerability is documented as CVE-2026-13509 . The attack can be executed remotely. Additionally, an exploit exists. The pull request to fix this issue awaits acceptance.