Severity by source
AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N
Lifecycle Timeline
6DescriptionGitHub Advisory
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..." attribute without any HTML encoding. Every call-site in the app wraps renderMarkdown(...) with DOMPurify.sanitize(...) as defense-in-depth - except the Chartable component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a create-chart tool call, so any attacker who can influence the LLM's output - most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace - can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via GET /api/workspace/:slug/chats and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
AnalysisAI
Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject malicious markdown via indirect prompt injection, affecting all other users who view the compromised conversation. The vulnerability stems from unsafe markdown-to-HTML conversion in the Chartable component that bypasses the application's standard DOMPurify sanitization defense-in-depth. Versions prior to 1.12.1 are affected; patch available.
Technical ContextAI
AnythingLLM's markdown renderer applies unsafe custom rules to interpolate image alt text directly into HTML alt attributes without encoding. While most call-sites wrap renderMarkdown() with DOMPurify.sanitize(), the Chartable component (used for rendering LLM-generated chart captions) bypasses this sanitization layer entirely. The vulnerability is a CWE-79 (Improper Neutralization of Input During Web Page Generation) where attacker-controlled LLM output-achievable via indirect prompt injection through shared workspace documents or direct chart creation in multi-user workspaces-is rendered as untrusted HTML. Since chat history is server-side persisted and loaded via GET /api/workspace/:slug/chats, the XSS payload is stored and executed in every user's browser upon conversation load.
RemediationAI
Upgrade AnythingLLM to version 1.12.1 or later, which contains the patch correcting the Chartable component's markdown rendering to include DOMPurify sanitization. Apply the patch commit f5fa03f4728e483949f6360093bc3ea1ef555535 if building from source. For environments unable to upgrade immediately, disable the chart creation feature or restrict chart creation privileges to trusted administrators only; note that this trades functionality for security and does not eliminate risk if malicious charts were created prior to restriction. Audit existing chart captions in chat history for suspicious HTML/JavaScript patterns and consider clearing conversations known to contain user-influenced LLM output. Implement Content Security Policy (CSP) headers with script-src restrictions as a compensating control, though this does not replace the patch.
More in Anything Llm
View allSQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulne
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high sev
XSS in AnythingLLM 1.11.1 and earlier.
SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands a
AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where th
Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import f
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatti
Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing
Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged au
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25387