VYPR

Anythingllm

by Mintplex Labs

Source repositories

CVEs (69)

  • CVE-2026-48116HigMay 28, 2026
    risk 0.42cvss 7.5epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a --…

  • CVE-2026-5627HigApr 7, 2026
    risk 0.40cvss 7.2epss 0.01

    A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in…

  • CVE-2026-41318MedApr 24, 2026
    risk 0.28cvss 5.4epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text…

  • CVE-2024-4286MedMay 26, 2024
    risk 0.25cvss 4.9epss 0.00

    Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user…

  • CVE-2026-42456MedMay 8, 2026
    risk 0.21cvss 4.3epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the…

  • CVE-2026-47713LowMay 28, 2026
    risk 0.06cvss 2.0epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record…

  • CVE-2026-45403LowMay 28, 2026
    risk 0.06cvss 2.0epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then…

  • CVE-2024-6842Mar 20, 2025
    risk 0.02cvss epss 0.29

    In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system settings. The data returned by the `currentSettings` function includes sensitive information such as API keys for search engines, which can be…

  • CVE-2024-13059Feb 10, 2025
    risk 0.02cvss epss 0.20

    A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII filenames in the multer library. This vulnerability can lead to arbitrary file write, which can subsequently result in remote code execution. The…

  • CVE-2026-24477Jan 26, 2026
    risk 0.01cvss epss 0.02

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text…

  • CVE-2026-55611Jun 24, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST…

  • CVE-2026-48789Jun 24, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents…

  • CVE-2026-32719Mar 13, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community…

  • CVE-2026-32717Mar 13, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the…

  • CVE-2026-32715Mar 13, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is…

  • CVE-2026-32628Mar 13, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL…

  • CVE-2026-32626Mar 13, 2026
    risk 0.00cvss epss 0.01

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code…

  • CVE-2026-32617Mar 13, 2026
    risk 0.00cvss epss 0.00

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, On default installations where no password or API key has been configured, all HTTP endpoints and the agent WebSocket lack…

  • CVE-2026-24478Jan 26, 2026
    risk 0.00cvss epss 0.01

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an…

  • CVE-2026-21484Jan 3, 2026
    risk 0.00cvss epss 0.01

    AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit e287fab56089cf8fcea9ba579a3ecdeca0daa313, the password recovery endpoint returns different error messages depending on whether a username…

Page 1 of 4