Skip to main content

AI / ML CVE-2026-32719

MEDIUM
Path Traversal (CWE-22)
2026-03-13 GitHub_M
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Mar 13, 2026 - 22:01 vuln.today
CVE Published
Mar 13, 2026 - 21:25 nvd
MEDIUM 4.2

DescriptionGitHub Advisory

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.

AnalysisAI

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.

Technical ContextAI

The vulnerability exists in the ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js, which uses the AdmZip library to extract downloaded ZIP archives without performing path validation or sanitization. The root cause is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, also known as Path Traversal), a well-established class of vulnerability where insufficient input validation allows attackers to manipulate file paths using sequences like '../' to escape intended directory boundaries. The AdmZip library, while functional for standard ZIP operations, does not inherently prevent Zip Slip attacks; developers must explicitly validate entry paths before extraction. AnythingLLM's plugin import mechanism downloads untrusted archives from a community hub URL and extracts them server-side, creating an attractive attack surface when combined with missing path validation.

RemediationAI

Immediately upgrade AnythingLLM to the latest patched version released after 1.11.1, which includes explicit path validation in the ImportedPlugin.importCommunityItemFromUrl() function and AdmZip extraction process. Consult the official AnythingLLM GitHub releases page and security advisories for the exact patched version number and installation instructions. As an interim workaround prior to patching, restrict the plugin import functionality by disabling the community hub import feature if not strictly required, enforce the principle of least privilege by removing plugin import permissions from non-administrative users, and isolate AnythingLLM instances from untrusted networks. Additionally, implement file system monitoring and access controls to detect or prevent unauthorized file writes outside the intended plugin directories. Once patched, validate the extraction by confirming all plugin files remain within their designated installation paths.

CVE-2026-23744 CRITICAL POC
9.8 Jan 16

MCPJam Inspector versions 1.4.2 and earlier allow unauthenticated remote code execution through missing authentication i

CVE-2024-8859 HIGH POC
7.5 Mar 20

A path traversal vulnerability exists in mlflow/mlflow version 2.15.1. Rated high severity (CVSS 7.5), this vulnerabilit

CVE-2026-27966 CRITICAL POC
9.8 Feb 26

Code injection in Langflow CSV Agent node before 1.8.0. The node hardcodes allow_dangerous_code=True, enabling arbitrary

CVE-2026-0770 CRITICAL POC
9.8 Jan 23

Langflow has a third RCE vulnerability via exec_globals (EPSS 10.0%) allowing inclusion of untrusted code that executes

CVE-2026-27597 CRITICAL POC
10.0 Feb 25

Sandbox escape in Enclave JavaScript sandbox before 2.11.1. Enclave is designed for safe AI agent code execution — the e

CVE-2026-22686 CRITICAL POC
10.0 Jan 14

enclave-vm JavaScript sandbox (before 2.7.0) has a critical sandbox escape. When a tool invocation fails, a host-side Er

CVE-2025-2828 CRITICAL POC
10.0 Jun 23

A remote code execution vulnerability in langchain-ai/langchain (CVSS 10.0). Risk factors: public PoC available. Vendor

CVE-2026-1470 CRITICAL POC
9.9 Jan 27

n8n has a fifth critical RCE vulnerability (CVSS 9.9) in the Expression evaluator, enabling code execution through craft

CVE-2026-24770 CRITICAL POC
9.8 Jan 27

Path traversal vulnerability in RAGFlow RAG engine version 0.23.1 allows unauthenticated attackers to read arbitrary fil

CVE-2026-22688 CRITICAL POC
9.9 Jan 10

WeKnora LLM framework (before 0.2.5) allows authenticated users to inject MCP stdio commands that the server executes as

CVE-2026-30861 CRITICAL POC
9.9 Mar 07

OS command injection in WeKnora from version 0.2.5 allows authenticated users to execute arbitrary system commands. CVSS

CVE-2026-29042 CRITICAL POC
9.8 Mar 06

Shell command injection in Nuclio serverless framework before 1.15.20. PoC and patch available.

Share

CVE-2026-32719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy