Skip to main content

Anything Llm

14 CVEs product

Monthly

CVE-2026-55611 NONE PATCH Awaiting Data

{} blocks that fire unconditionally - even when the preceding ownership-checked read fails - scoping deletion only by raw primary key with no userId or workspaceId constraint. Versions 1.11.1 through 1.14.0 are affected; no public exploit or CISA KEV listing identified at time of analysis, though the fix commit confirms the root cause and makes exploitation trivially reproducible.

Authentication Bypass Anything Llm
NVD GitHub
EPSS
0.2%
CVE-2026-48789 MEDIUM PATCH This Month

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.

Path Traversal Microsoft Anything Llm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2026-47713 LOW PATCH Monitor

Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing a pre-migration token holder to bypass per-user data filtering and access other users' workspace content. Affected are all AnythingLLM installations (cpe:2.3:a:mintplex-labs:anything-llm) prior to version 1.13.0 that have undergone a single-user to multi-user migration while mobile device tokens existed. An attacker retaining a previously approved mobile token can enumerate workspaces and retrieve thread metadata and chat history belonging to other users. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Authentication Bypass Anything Llm
NVD GitHub VulDB
CVSS 3.1
2.0
EPSS
0.0%
CVE-2026-45403 LOW PATCH Monitor

Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged authenticated user to read files outside the configured filesystem sandbox by placing a symbolic link inside an agent-accessible source directory. The recursive copy helper validates only top-level paths, then descends into child entries using Node.js fs.stat() and fs.copyFile(), both of which transparently follow symlinks - silently redirecting reads to targets outside the allowed root and materializing their contents in an accessible destination. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS score of 2.0 reflects that exploitation is constrained to high-privilege accounts with high complexity and required user interaction.

Information Disclosure Anything Llm
NVD GitHub
CVSS 3.1
2.0
EPSS
0.0%
CVE-2026-42456 MEDIUM This Month

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.

Information Disclosure Anything Llm
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-41318 MEDIUM PATCH This Month

Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject malicious markdown via indirect prompt injection, affecting all other users who view the compromised conversation. The vulnerability stems from unsafe markdown-to-HTML conversion in the Chartable component that bypasses the application's standard DOMPurify sanitization defense-in-depth. Versions prior to 1.12.1 are affected; patch available.

XSS Anything Llm
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-32719 MEDIUM This Month

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.

Path Traversal RCE AI / ML Anything Llm
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-32717 LOW Monitor

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

Authentication Bypass Anything Llm
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-32715 LOW Monitor

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

Authentication Bypass Anything Llm
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-32628 HIGH This Week

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

SQLi PostgreSQL MySQL MSSQL Information Disclosure +2
NVD GitHub
CVSS 4.0
7.7
EPSS
0.0%
CVE-2026-32626 CRITICAL Act Now

XSS in AnythingLLM 1.11.1 and earlier.

XSS RCE AI / ML Anything Llm
NVD GitHub
CVSS 3.1
9.6
EPSS
0.2%
CVE-2026-32617 HIGH This Week

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.

Information Disclosure Google Mozilla AI / ML Anything Llm +2
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2023-4899 HIGH POC PATCH This Week

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Anything Llm
NVD GitHub
CVSS 3.1
8.8
EPSS
0.6%
CVE-2023-4898 HIGH POC PATCH This Week

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Anything Llm
NVD GitHub
CVSS 3.1
7.5
EPSS
0.6%
EPSS 0%
NONE PATCH Awaiting Data

{} blocks that fire unconditionally - even when the preceding ownership-checked read fails - scoping deletion only by raw primary key with no userId or workspaceId constraint. Versions 1.11.1 through 1.14.0 are affected; no public exploit or CISA KEV listing identified at time of analysis, though the fix commit confirms the root cause and makes exploitation trivially reproducible.

Authentication Bypass Anything Llm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

Path traversal in AnythingLLM's document folder listing endpoint on Windows allows authenticated low-privilege users to enumerate directories outside the intended documents directory. The root cause is a platform-specific gap in the shared path containment helper: it correctly rejects POSIX-style '../' sequences but fails to reject Windows-style parent path segments produced by Node.js path.relative(), such as bare '..'. No active exploitation has been confirmed (not in CISA KEV) and no public exploit code has been identified, consistent with the Medium CVSS score of 4.3 and the authentication requirement.

Path Traversal Microsoft Anything Llm
NVD GitHub
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Stale mobile device tokens in AnythingLLM survive single-user to multi-user mode migration with a null userId, allowing a pre-migration token holder to bypass per-user data filtering and access other users' workspace content. Affected are all AnythingLLM installations (cpe:2.3:a:mintplex-labs:anything-llm) prior to version 1.13.0 that have undergone a single-user to multi-user migration while mobile device tokens existed. An attacker retaining a previously approved mobile token can enumerate workspaces and retrieve thread metadata and chat history belonging to other users. No public exploit identified at time of analysis and this CVE is not listed in CISA KEV.

Authentication Bypass Anything Llm
NVD GitHub VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

Symlink following in the AnythingLLM agent filesystem copy tool (versions prior to 1.13.0) allows a highly-privileged authenticated user to read files outside the configured filesystem sandbox by placing a symbolic link inside an agent-accessible source directory. The recursive copy helper validates only top-level paths, then descends into child entries using Node.js fs.stat() and fs.copyFile(), both of which transparently follow symlinks - silently redirecting reads to targets outside the allowed root and materializing their contents in an accessible destination. No public exploit code has been identified and the vulnerability is not listed in the CISA KEV catalog; the CVSS score of 2.0 reflects that exploitation is constrained to high-privilege accounts with high complexity and required user interaction.

Information Disclosure Anything Llm
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.

Information Disclosure Anything Llm
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM PATCH This Month

Stored DOM-level XSS in AnythingLLM's chart caption rendering allows authenticated users in shared workspaces to inject malicious markdown via indirect prompt injection, affecting all other users who view the compromised conversation. The vulnerability stems from unsafe markdown-to-HTML conversion in the Chartable component that bypasses the application's standard DOMPurify sanitization defense-in-depth. Versions prior to 1.12.1 are affected; patch available.

XSS Anything Llm
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM This Month

AnythingLLM versions 1.11.1 and earlier contain a Zip Slip path traversal vulnerability in the community plugin import functionality that fails to validate file paths during ZIP extraction. An authenticated attacker with high privileges can craft a malicious ZIP file containing path traversal sequences that, when imported via the community hub, extract files outside the intended directory and achieve arbitrary code execution on the server. While the CVSS score is moderate (4.2) due to high privilege requirements and user interaction, the vulnerability enables code execution and should be addressed promptly.

Path Traversal RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 2.7
LOW Monitor

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

Authentication Bypass Anything Llm
NVD GitHub
EPSS 0% CVSS 3.8
LOW Monitor

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting.

Authentication Bypass Anything Llm
NVD GitHub
EPSS 0% CVSS 7.7
HIGH This Week

SQL injection in AnythingLLM versions 1.11.1 and earlier enables authenticated users to execute arbitrary SQL commands against connected PostgreSQL, MySQL, and MSSQL databases through the built-in SQL Agent plugin. The vulnerability stems from unsafe string concatenation of table names in the getTableSchemaSql() method across all three database connectors, bypassing proper parameterization. Any user with access to invoke the SQL Agent can exploit this to read, modify, or delete sensitive database contents.

SQLi PostgreSQL MySQL +4
NVD GitHub
EPSS 0% CVSS 9.6
CRITICAL Act Now

XSS in AnythingLLM 1.11.1 and earlier.

XSS RCE AI / ML +1
NVD GitHub
EPSS 0% CVSS 7.1
HIGH This Week

AnythingLLM versions 1.11.1 and earlier contain an authentication bypass vulnerability on default installations where the application's HTTP endpoints and WebSocket connections lack proper authentication and accept requests from any origin. While rated CVSS 7.1, exploitation is limited to attackers on the same local network due to browser Private Network Access (PNA) protections, making this a medium-priority issue for most deployments.

Information Disclosure Google Mozilla +4
NVD GitHub
EPSS 1% CVSS 8.8
HIGH POC PATCH This Week

SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SQLi Anything Llm
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Authentication Bypass Anything Llm
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy