Skip to main content

AnythingLLM CVE-2026-41318

| EUVDEUVD-2026-25387 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-24 GitHub_M
5.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.4 MEDIUM
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

6
Patch released
Apr 27, 2026 - 14:53 nvd
Patch available
Patch available
Apr 24, 2026 - 05:31 EUVD
Analysis Generated
Apr 24, 2026 - 04:31 vuln.today
EUVD ID Assigned
Apr 24, 2026 - 04:00 euvd
EUVD-2026-25387
Analysis Generated
Apr 24, 2026 - 04:00 vuln.today
CVE Published
Apr 24, 2026 - 02:57 nvd
MEDIUM 5.4

DescriptionGitHub Advisory

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..." attribute without any HTML encoding. Every call-site in the app wraps renderMarkdown(...) with DOMPurify.sanitize(...) as defense-in-depth - except the Chartable component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a create-chart tool call, so any attacker who can influence the LLM's output - most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace - can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via GET /api/workspace/:slug/chats and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.

AnalysisAI

Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject malicious markdown via indirect prompt injection, affecting all other users who view the compromised conversation. The vulnerability stems from unsafe markdown-to-HTML conversion in the Chartable component that bypasses the application's standard DOMPurify sanitization defense-in-depth. Versions prior to 1.12.1 are affected; patch available.

Technical ContextAI

AnythingLLM's markdown renderer applies unsafe custom rules to interpolate image alt text directly into HTML alt attributes without encoding. While most call-sites wrap renderMarkdown() with DOMPurify.sanitize(), the Chartable component (used for rendering LLM-generated chart captions) bypasses this sanitization layer entirely. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) where attacker-controlled LLM output-achievable via indirect prompt injection through shared workspace documents or direct chart creation in multi-user workspaces-is rendered as untrusted HTML. Since chat history is server-side persisted and loaded via GET /api/workspace/:slug/chats, the XSS payload is stored and executed in every user's browser upon conversation load.

RemediationAI

Upgrade AnythingLLM to version 1.12.1 or later, which contains the patch correcting the Chartable component's markdown rendering to include DOMPurify sanitization. Apply the patch commit f5fa03f4728e483949f6360093bc3ea1ef555535 if building from source. For environments unable to upgrade immediately, disable the chart creation feature or restrict chart creation privileges to trusted administrators only; note that this trades functionality for security and does not eliminate risk if malicious charts were created prior to restriction. Audit existing chart captions in chat history for suspicious HTML/JavaScript patterns and consider clearing conversations known to contain user-influenced LLM output. Implement Content Security Policy (CSP) headers with script-src restrictions as a compensating control, though this does not replace the patch.

CVE-2023-4899 HIGH POC
8.8 Sep 12

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne

CVE-2023-4898 HIGH POC
7.5 Sep 12

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev

CVE-2026-32626 CRITICAL
9.6 Mar 13

XSS in AnythingLLM 1.11.1 and earlier.

CVE-2026-32628 HIGH
7.7 Mar 13

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a

CVE-2026-32617 HIGH
7.1 Mar 13

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th

CVE-2026-48789 MEDIUM
4.3 Jun 24

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to

CVE-2026-42456 MEDIUM
4.3 May 08

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32719 MEDIUM
4.2 Mar 13

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f

CVE-2026-32715 LOW
3.8 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-32717 LOW
2.7 Mar 13

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti

CVE-2026-47713 LOW
2.0 May 28

Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing

CVE-2026-45403 LOW
2.0 May 28

Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged au

Share

CVE-2026-41318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy