Search
Find a vulnerability
Search criteria
134 vulnerabilities found for anythingllm by mintplexlabs
CVE-2026-48116 (GCVE-0-2026-48116)
Vulnerability from nvd – Published: 2026-05-28 21:19 – Updated: 2026-05-30 02:22
VLAI
Title
AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:22:29.307430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:22:53.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh \u003cfile\u003e for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T21:19:51.965Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/94ed62d320df1a06c229e4bc3ee09c2cb5111b33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/94ed62d320df1a06c229e4bc3ee09c2cb5111b33"
}
],
"source": {
"advisory": "GHSA-6hrp-7mw6-8v59",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48116",
"datePublished": "2026-05-28T21:19:51.965Z",
"dateReserved": "2026-05-20T18:46:58.289Z",
"dateUpdated": "2026-05-30T02:22:53.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47713 (GCVE-0-2026-47713)
Vulnerability from nvd – Published: 2026-05-28 21:20 – Updated: 2026-05-29 14:48
VLAI
Title
AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47713",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:48:29.600045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:48:59.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -\u003e multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T21:20:56.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/9d714f95c124b61df00b840e36f623a2eb7e7eb4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/9d714f95c124b61df00b840e36f623a2eb7e7eb4"
}
],
"source": {
"advisory": "GHSA-h349-hp2v-8rhw",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47713",
"datePublished": "2026-05-28T21:20:56.596Z",
"dateReserved": "2026-05-19T21:29:25.482Z",
"dateUpdated": "2026-05-29T14:48:59.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45403 (GCVE-0-2026-45403)
Vulnerability from nvd – Published: 2026-05-28 21:18 – Updated: 2026-05-29 19:06
VLAI
Title
AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:06:40.425856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:06:43.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T21:18:08.686Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/21ce03087145a4261c1de03b056fba639f699c09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/21ce03087145a4261c1de03b056fba639f699c09"
}
],
"source": {
"advisory": "GHSA-vjrp-43mm-j7vw",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45403",
"datePublished": "2026-05-28T21:18:08.686Z",
"dateReserved": "2026-05-12T01:48:40.451Z",
"dateUpdated": "2026-05-29T19:06:43.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42456 (GCVE-0-2026-42456)
Vulnerability from nvd – Published: 2026-05-08 23:01 – Updated: 2026-05-11 15:54
VLAI
Title
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
| https://github.com/Mintplex-Labs/anything-llm/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.12.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42456",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:54:54.307550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:54:57.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user\u0027s chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user\u0027s private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T23:01:30.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1"
}
],
"source": {
"advisory": "GHSA-jwqg-jfg3-x5vv",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42456",
"datePublished": "2026-05-08T23:01:30.213Z",
"dateReserved": "2026-04-27T13:55:58.693Z",
"dateUpdated": "2026-05-11T15:54:57.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41318 (GCVE-0-2026-41318)
Vulnerability from nvd – Published: 2026-04-24 02:57 – Updated: 2026-04-24 18:17
VLAI
Title
AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.12.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41318",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T17:24:46.472539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:17:42.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM\u0027s in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image\u0027s `alt` text into an HTML `alt=\"...\"` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth \u2014 except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM\u0027s output \u2014 most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace \u2014 can trigger stored DOM-level XSS in every other user\u0027s browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T02:57:16.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/f5fa03f4728e483949f6360093bc3ea1ef555535",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/f5fa03f4728e483949f6360093bc3ea1ef555535"
}
],
"source": {
"advisory": "GHSA-4q6m-qh3w-9gf5",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41318",
"datePublished": "2026-04-24T02:57:16.193Z",
"dateReserved": "2026-04-20T14:01:46.671Z",
"dateUpdated": "2026-04-24T18:17:42.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5627 (GCVE-0-2026-5627)
Vulnerability from nvd – Published: 2026-04-07 13:06 – Updated: 2026-04-07 13:52
VLAI
Title
Path Traversal in mintplex-labs/anything-llm
Summary
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-29 - Path Traversal: '\..\filename'
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mintplex-labs | mintplex-labs/anything-llm |
Affected:
unspecified , < 1.12.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:52:46.517190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:52:59.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mintplex-labs/anything-llm",
"vendor": "mintplex-labs",
"versions": [
{
"lessThan": "1.12.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:06:38.503Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536ec66374"
},
{
"url": "https://github.com/mintplex-labs/anything-llm/commit/3444b9b0aa6764d72d53670ab4b1aaccdc6b7017"
}
],
"source": {
"advisory": "597d41c5-7ea0-4786-80f4-bd536ec66374",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in mintplex-labs/anything-llm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2026-5627",
"datePublished": "2026-04-07T13:06:38.503Z",
"dateReserved": "2026-04-05T18:57:42.463Z",
"dateUpdated": "2026-04-07T13:52:59.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32719 (GCVE-0-2026-32719)
Vulnerability from nvd – Published: 2026-03-13 21:25 – Updated: 2026-03-16 16:44
VLAI
Title
AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:44:32.891677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:44:38.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:25:31.682Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c"
}
],
"source": {
"advisory": "GHSA-rh66-4w74-cf4m",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32719",
"datePublished": "2026-03-13T21:25:31.682Z",
"dateReserved": "2026-03-13T14:33:42.825Z",
"dateUpdated": "2026-03-16T16:44:38.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32717 (GCVE-0-2026-32717)
Vulnerability from nvd – Published: 2026-03-13 21:23 – Updated: 2026-03-16 16:45
VLAI
Title
AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32717",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:45:13.935932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:45:17.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:23:48.659Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/a207449095158f28c7e16acf113356b336c87803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/a207449095158f28c7e16acf113356b336c87803"
}
],
"source": {
"advisory": "GHSA-7754-8jcc-2rg3",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32717",
"datePublished": "2026-03-13T21:23:48.659Z",
"dateReserved": "2026-03-13T14:33:42.825Z",
"dateUpdated": "2026-03-16T16:45:17.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32715 (GCVE-0-2026-32715)
Vulnerability from nvd – Published: 2026-03-13 21:22 – Updated: 2026-03-16 16:46
VLAI
Title
AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32715",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:45:56.666831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:46:00.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:22:00.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb"
}
],
"source": {
"advisory": "GHSA-wfq3-65gm-3g2p",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32715",
"datePublished": "2026-03-13T21:22:00.783Z",
"dateReserved": "2026-03-13T14:33:42.824Z",
"dateUpdated": "2026-03-16T16:46:00.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32628 (GCVE-0-2026-32628)
Vulnerability from nvd – Published: 2026-03-13 20:50 – Updated: 2026-03-16 15:41
VLAI
Title
AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:28:24.944378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:41:05.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:50:15.991Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e"
}
],
"source": {
"advisory": "GHSA-jwjx-mw2p-5wc7",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32628",
"datePublished": "2026-03-13T20:50:15.991Z",
"dateReserved": "2026-03-12T15:29:36.558Z",
"dateUpdated": "2026-03-16T15:41:05.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32626 (GCVE-0-2026-32626)
Vulnerability from nvd – Published: 2026-03-13 20:14 – Updated: 2026-03-16 20:13
VLAI
Title
AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().
Severity
9.7 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T20:13:03.259781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T20:13:43.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization \u2014 unlike HistoricalMessage which correctly applies DOMPurify.sanitize()."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:14:30.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/9e2d144dc8be6fab29f560f5bcdaa9ef7dbb4214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/9e2d144dc8be6fab29f560f5bcdaa9ef7dbb4214"
}
],
"source": {
"advisory": "GHSA-rrmw-2j6x-4mf2",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32626",
"datePublished": "2026-03-13T20:14:30.437Z",
"dateReserved": "2026-03-12T15:29:36.558Z",
"dateUpdated": "2026-03-16T20:13:43.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32617 (GCVE-0-2026-32617)
Vulnerability from nvd – Published: 2026-03-13 20:07 – Updated: 2026-03-16 20:09
VLAI
Title
AnythingLLM Permissable CORS policy
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32617",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T20:08:58.773783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T20:09:19.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server\u0027s CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188: Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:07:57.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-24qj-pw4h-3jmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-24qj-pw4h-3jmm"
}
],
"source": {
"advisory": "GHSA-24qj-pw4h-3jmm",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM Permissable CORS policy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32617",
"datePublished": "2026-03-13T20:07:57.446Z",
"dateReserved": "2026-03-12T15:29:36.557Z",
"dateUpdated": "2026-03-16T20:09:19.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24478 (GCVE-0-2026-24478)
Vulnerability from nvd – Published: 2026-01-26 23:23 – Updated: 2026-01-27 21:29
VLAI
Title
AnythingLLM vulnerable to Path Traversal
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24478",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T21:29:29.972528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T21:29:55.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T23:23:54.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv"
}
],
"source": {
"advisory": "GHSA-jp2f-99h9-7vjv",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM vulnerable to Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24478",
"datePublished": "2026-01-26T23:23:54.923Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-01-27T21:29:55.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24477 (GCVE-0-2026-24477)
Vulnerability from nvd – Published: 2026-01-26 23:22 – Updated: 2026-04-03 13:16
VLAI
Title
AnythingLLM has key leak in `systemSettings.js`
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24477",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T13:15:55.836300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:16:06.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T23:22:27.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf"
}
],
"source": {
"advisory": "GHSA-gm94-qc2p-xcwf",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has key leak in `systemSettings.js`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24477",
"datePublished": "2026-01-26T23:22:27.793Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-04-03T13:16:06.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21484 (GCVE-0-2026-21484)
Vulnerability from nvd – Published: 2026-01-03 01:21 – Updated: 2026-01-05 20:36
VLAI
Title
AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< e287fab56089cf8fcea9ba579a3ecdeca0daa313
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:32:28.995295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:36:58.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c e287fab56089cf8fcea9ba579a3ecdeca0daa313"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-03T01:21:39.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313"
}
],
"source": {
"advisory": "GHSA-47vr-w3vm-69ch",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21484",
"datePublished": "2026-01-03T01:21:39.386Z",
"dateReserved": "2025-12-29T14:34:16.005Z",
"dateUpdated": "2026-01-05T20:36:58.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-47713 (GCVE-0-2026-47713)
Vulnerability from cvelistv5 – Published: 2026-05-28 21:20 – Updated: 2026-05-29 14:48
VLAI
Title
AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-47713",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T14:48:29.600045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T14:48:59.134Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -\u003e multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-285",
"description": "CWE-285: Improper Authorization",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T21:20:56.596Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-h349-hp2v-8rhw"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/9d714f95c124b61df00b840e36f623a2eb7e7eb4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/9d714f95c124b61df00b840e36f623a2eb7e7eb4"
}
],
"source": {
"advisory": "GHSA-h349-hp2v-8rhw",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-47713",
"datePublished": "2026-05-28T21:20:56.596Z",
"dateReserved": "2026-05-19T21:29:25.482Z",
"dateUpdated": "2026-05-29T14:48:59.134Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-48116 (GCVE-0-2026-48116)
Vulnerability from cvelistv5 – Published: 2026-05-28 21:19 – Updated: 2026-05-30 02:22
VLAI
Title
AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Severity
7.5 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-48116",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-30T02:22:29.307430Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-30T02:22:53.743Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh \u003cfile\u003e for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-88",
"description": "CWE-88: Improper Neutralization of Argument Delimiters in a Command (\u0027Argument Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T21:19:51.965Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/94ed62d320df1a06c229e4bc3ee09c2cb5111b33",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/94ed62d320df1a06c229e4bc3ee09c2cb5111b33"
}
],
"source": {
"advisory": "GHSA-6hrp-7mw6-8v59",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-48116",
"datePublished": "2026-05-28T21:19:51.965Z",
"dateReserved": "2026-05-20T18:46:58.289Z",
"dateUpdated": "2026-05-30T02:22:53.743Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-45403 (GCVE-0-2026-45403)
Vulnerability from cvelistv5 – Published: 2026-05-28 21:18 – Updated: 2026-05-29 19:06
VLAI
Title
AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-59 - Improper Link Resolution Before File Access ('Link Following')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.13.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-45403",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-29T19:06:40.425856Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-29T19:06:43.485Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.13.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-59",
"description": "CWE-59: Improper Link Resolution Before File Access (\u0027Link Following\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-28T21:18:08.686Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-vjrp-43mm-j7vw"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/21ce03087145a4261c1de03b056fba639f699c09",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/21ce03087145a4261c1de03b056fba639f699c09"
}
],
"source": {
"advisory": "GHSA-vjrp-43mm-j7vw",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-45403",
"datePublished": "2026-05-28T21:18:08.686Z",
"dateReserved": "2026-05-12T01:48:40.451Z",
"dateUpdated": "2026-05-29T19:06:43.485Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-42456 (GCVE-0-2026-42456)
Vulnerability from cvelistv5 – Published: 2026-05-08 23:01 – Updated: 2026-05-11 15:54
VLAI
Title
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.
Severity
4.3 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
| https://github.com/Mintplex-Labs/anything-llm/rel… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.12.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42456",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-11T15:54:54.307550Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T15:54:57.762Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user\u0027s chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user\u0027s private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-08T23:01:30.213Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwqg-jfg3-x5vv"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/4f3f77119d342e5489d1ba7533ad6d51bdcd565f"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/releases/tag/v1.12.1"
}
],
"source": {
"advisory": "GHSA-jwqg-jfg3-x5vv",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42456",
"datePublished": "2026-05-08T23:01:30.213Z",
"dateReserved": "2026-04-27T13:55:58.693Z",
"dateUpdated": "2026-05-11T15:54:57.762Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-41318 (GCVE-0-2026-41318)
Vulnerability from cvelistv5 – Published: 2026-04-24 02:57 – Updated: 2026-04-24 18:17
VLAI
Title
AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
Severity
5.4 (Medium)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.12.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-41318",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-24T17:24:46.472539Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T18:17:42.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.12.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM\u0027s in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image\u0027s `alt` text into an HTML `alt=\"...\"` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth \u2014 except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM\u0027s output \u2014 most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace \u2014 can trigger stored DOM-level XSS in every other user\u0027s browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-116",
"description": "CWE-116: Improper Encoding or Escaping of Output",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1336",
"description": "CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-24T02:57:16.193Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/f5fa03f4728e483949f6360093bc3ea1ef555535",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/f5fa03f4728e483949f6360093bc3ea1ef555535"
}
],
"source": {
"advisory": "GHSA-4q6m-qh3w-9gf5",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41318",
"datePublished": "2026-04-24T02:57:16.193Z",
"dateReserved": "2026-04-20T14:01:46.671Z",
"dateUpdated": "2026-04-24T18:17:42.185Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5627 (GCVE-0-2026-5627)
Vulnerability from cvelistv5 – Published: 2026-04-07 13:06 – Updated: 2026-04-07 13:52
VLAI
Title
Path Traversal in mintplex-labs/anything-llm
Summary
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-29 - Path Traversal: '\..\filename'
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| mintplex-labs | mintplex-labs/anything-llm |
Affected:
unspecified , < 1.12.1
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5627",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-07T13:52:46.517190Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:52:59.055Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mintplex-labs/anything-llm",
"vendor": "mintplex-labs",
"versions": [
{
"lessThan": "1.12.1",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-29",
"description": "CWE-29 Path Traversal: \u0027\\..\\filename\u0027",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T13:06:38.503Z",
"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"shortName": "@huntr_ai"
},
"references": [
{
"url": "https://huntr.com/bounties/597d41c5-7ea0-4786-80f4-bd536ec66374"
},
{
"url": "https://github.com/mintplex-labs/anything-llm/commit/3444b9b0aa6764d72d53670ab4b1aaccdc6b7017"
}
],
"source": {
"advisory": "597d41c5-7ea0-4786-80f4-bd536ec66374",
"discovery": "EXTERNAL"
},
"title": "Path Traversal in mintplex-labs/anything-llm"
}
},
"cveMetadata": {
"assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a",
"assignerShortName": "@huntr_ai",
"cveId": "CVE-2026-5627",
"datePublished": "2026-04-07T13:06:38.503Z",
"dateReserved": "2026-04-05T18:57:42.463Z",
"dateUpdated": "2026-04-07T13:52:59.055Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32719 (GCVE-0-2026-32719)
Vulnerability from cvelistv5 – Published: 2026-03-13 21:25 – Updated: 2026-03-16 16:44
VLAI
Title
AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
Severity
4.2 (Medium)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32719",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:44:32.891677Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:44:38.247Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:25:31.682Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c"
}
],
"source": {
"advisory": "GHSA-rh66-4w74-cf4m",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32719",
"datePublished": "2026-03-13T21:25:31.682Z",
"dateReserved": "2026-03-13T14:33:42.825Z",
"dateUpdated": "2026-03-16T16:44:38.247Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32717 (GCVE-0-2026-32717)
Vulnerability from cvelistv5 – Published: 2026-03-13 21:23 – Updated: 2026-03-16 16:45
VLAI
Title
AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32717",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:45:13.935932Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:45:17.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 2.7,
"baseSeverity": "LOW",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:23:48.659Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-7754-8jcc-2rg3"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/a207449095158f28c7e16acf113356b336c87803",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/a207449095158f28c7e16acf113356b336c87803"
}
],
"source": {
"advisory": "GHSA-7754-8jcc-2rg3",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32717",
"datePublished": "2026-03-13T21:23:48.659Z",
"dateReserved": "2026-03-13T14:33:42.825Z",
"dateUpdated": "2026-03-16T16:45:17.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32715 (GCVE-0-2026-32715)
Vulnerability from cvelistv5 – Published: 2026-03-13 21:22 – Updated: 2026-03-16 16:46
VLAI
Title
AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32715",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T16:45:56.666831Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T16:46:00.551Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.8,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T21:22:00.783Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-wfq3-65gm-3g2p"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/732eac6fa89f43288bbb65ecc6298ebcd96b7aeb"
}
],
"source": {
"advisory": "GHSA-wfq3-65gm-3g2p",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32715",
"datePublished": "2026-03-13T21:22:00.783Z",
"dateReserved": "2026-03-13T14:33:42.824Z",
"dateUpdated": "2026-03-16T16:46:00.551Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32628 (GCVE-0-2026-32628)
Vulnerability from cvelistv5 – Published: 2026-03-13 20:50 – Updated: 2026-03-16 15:41
VLAI
Title
AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32628",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T15:28:24.944378Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T15:41:05.437Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "HIGH",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.7,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:50:15.991Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e"
}
],
"source": {
"advisory": "GHSA-jwjx-mw2p-5wc7",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32628",
"datePublished": "2026-03-13T20:50:15.991Z",
"dateReserved": "2026-03-12T15:29:36.558Z",
"dateUpdated": "2026-03-16T15:41:05.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32626 (GCVE-0-2026-32626)
Vulnerability from cvelistv5 – Published: 2026-03-13 20:14 – Updated: 2026-03-16 20:13
VLAI
Title
AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().
Severity
9.7 (Critical)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T20:13:03.259781Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T20:13:43.696Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization \u2014 unlike HistoricalMessage which correctly applies DOMPurify.sanitize()."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:14:30.437Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/9e2d144dc8be6fab29f560f5bcdaa9ef7dbb4214",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/9e2d144dc8be6fab29f560f5bcdaa9ef7dbb4214"
}
],
"source": {
"advisory": "GHSA-rrmw-2j6x-4mf2",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32626",
"datePublished": "2026-03-13T20:14:30.437Z",
"dateReserved": "2026-03-12T15:29:36.558Z",
"dateUpdated": "2026-03-16T20:13:43.696Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-32617 (GCVE-0-2026-32617)
Vulnerability from cvelistv5 – Published: 2026-03-13 20:07 – Updated: 2026-03-16 20:09
VLAI
Title
AnythingLLM Permissable CORS policy
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server's CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests.
Severity
7.1 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
<= 1.11.1
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-32617",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-16T20:08:58.773783Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-16T20:09:19.009Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c= 1.11.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack authentication, and the server\u0027s CORS policy accepts any origin. AnythingLLM Desktop binds to 127.0.0.1 (loopback) by default. Modern browsers (Chrome, Edge, Firefox) implement Private Network Access (PNA). This explicitly blocks public websites from making requests to local IP addresses. Exploitation is only viable from within the same local network (LAN) due to browser-level blocking of public-to-private requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-942",
"description": "CWE-942: Permissive Cross-domain Policy with Untrusted Domains",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-1188",
"description": "CWE-1188: Insecure Default Initialization of Resource",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-13T20:07:57.446Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-24qj-pw4h-3jmm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-24qj-pw4h-3jmm"
}
],
"source": {
"advisory": "GHSA-24qj-pw4h-3jmm",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM Permissable CORS policy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-32617",
"datePublished": "2026-03-13T20:07:57.446Z",
"dateReserved": "2026-03-12T15:29:36.557Z",
"dateUpdated": "2026-03-16T20:09:19.009Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24478 (GCVE-0-2026-24478)
Vulnerability from cvelistv5 – Published: 2026-01-26 23:23 – Updated: 2026-01-27 21:29
VLAI
Title
AnythingLLM vulnerable to Path Traversal
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.
Severity
7.2 (High)
SSVC
Exploitation: poc
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24478",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-27T21:29:29.972528Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-27T21:29:55.195Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T23:23:54.923Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv"
}
],
"source": {
"advisory": "GHSA-jp2f-99h9-7vjv",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM vulnerable to Path Traversal"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24478",
"datePublished": "2026-01-26T23:23:54.923Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-01-27T21:29:55.195Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-24477 (GCVE-0-2026-24477)
Vulnerability from cvelistv5 – Published: 2026-01-26 23:22 – Updated: 2026-04-03 13:16
VLAI
Title
AnythingLLM has key leak in `systemSettings.js`
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-201 - Insertion of Sensitive Information Into Sent Data
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< 1.10.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-24477",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-03T13:15:55.836300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-03T13:16:06.910Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c 1.10.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201: Insertion of Sensitive Information Into Sent Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-26T23:22:27.793Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf"
}
],
"source": {
"advisory": "GHSA-gm94-qc2p-xcwf",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM has key leak in `systemSettings.js`"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-24477",
"datePublished": "2026-01-26T23:22:27.793Z",
"dateReserved": "2026-01-23T00:38:20.547Z",
"dateUpdated": "2026-04-03T13:16:06.910Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-21484 (GCVE-0-2026-21484)
Vulnerability from cvelistv5 – Published: 2026-01-03 01:21 – Updated: 2026-01-05 20:36
VLAI
Title
AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery
Summary
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue.
Severity
5.3 (Medium)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/Mintplex-Labs/anything-llm/sec… | x_refsource_CONFIRM |
| https://github.com/Mintplex-Labs/anything-llm/com… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Mintplex-Labs | anything-llm |
Affected:
< e287fab56089cf8fcea9ba579a3ecdeca0daa313
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-21484",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-05T20:32:28.995295Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-05T20:36:58.168Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "anything-llm",
"vendor": "Mintplex-Labs",
"versions": [
{
"status": "affected",
"version": "\u003c e287fab56089cf8fcea9ba579a3ecdeca0daa313"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username exists, so enabling username enumeration. Commit e287fab56089cf8fcea9ba579a3ecdeca0daa313 fixes this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-203",
"description": "CWE-203: Observable Discrepancy",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-204",
"description": "CWE-204: Observable Response Discrepancy",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-03T01:21:39.386Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-47vr-w3vm-69ch"
},
{
"name": "https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Mintplex-Labs/anything-llm/commit/e287fab56089cf8fcea9ba579a3ecdeca0daa313"
}
],
"source": {
"advisory": "GHSA-47vr-w3vm-69ch",
"discovery": "UNKNOWN"
},
"title": "AnythingLLM Vulnerable to Username Enumeration w/ Password Recovery"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-21484",
"datePublished": "2026-01-03T01:21:39.386Z",
"dateReserved": "2025-12-29T14:34:16.005Z",
"dateUpdated": "2026-01-05T20:36:58.168Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}