Anythingllm
Monthly
AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.
Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).
AnythingLLM's password recovery endpoint leaks information about valid usernames through differential error messages, enabling account enumeration attacks. Public exploit code exists for this low-complexity network vulnerability that requires no authentication. The issue has been patched as of commit e287fab56089cf8fcea9ba579a3ecdeca0daa313.
A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service (DoS) vulnerability in the API for the embeddable chat functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to arbitrary file read and write in the storage directory. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A vulnerability in the Dockerized version of mintplex-labs/anything-llm (latest, digest 1d9452da2b92) allows for a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services.
A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
AnythingLLM prior to version 1.3.1 contains a path traversal vulnerability through non-ASCII filename handling in the multer library. The filename transformation introduces ../ sequences that enable arbitrary file write, leading to remote code execution on the LLM application server.
AnythingLLM versions prior to 1.10.0 contain a path traversal vulnerability in the DrupalWiki integration that allows malicious administrators or attackers with admin privileges to write arbitrary files to the server, potentially achieving remote code execution through configuration file overwriting or malicious script injection. Public exploit code exists for this vulnerability, and no patch is currently available for affected deployments. The attack requires high-level privileges but carries critical risk due to the ability to completely compromise server integrity.
Anythingllm versions up to 1.10.0 contains a vulnerability that allows attackers to complete compromise of the semantic search / retrieval functionality and indirec (CVSS 7.5).
AnythingLLM's password recovery endpoint leaks information about valid usernames through differential error messages, enabling account enumeration attacks. Public exploit code exists for this low-complexity network vulnerability that requires no authentication. The issue has been patched as of commit e287fab56089cf8fcea9ba579a3ecdeca0daa313.
A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service (DoS) vulnerability in the API for the embeddable chat functionality. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to arbitrary file read and write in the storage directory. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A vulnerability in the Dockerized version of mintplex-labs/anything-llm (latest, digest 1d9452da2b92) allows for a denial of service. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
AnythingLLM version 1.5.5 exposes sensitive system settings including search engine API keys through the unauthenticated /setup-complete endpoint. Attackers can steal API keys, enumerate system configuration, and leverage exposed credentials to compromise integrated services.
A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API endpoint "/api/system/custom-models". Rated high severity (CVSS 8.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
AnythingLLM prior to version 1.3.1 contains a path traversal vulnerability through non-ASCII filename handling in the multer library. The filename transformation introduces ../ sequences that enable arbitrary file write, leading to remote code execution on the LLM application server.