Timothy Carambat

41 exploits Active since Sep 2023
CVE-2026-45403 WRITEUP LOW WRITEUP
AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child entries using fs.stat() and copies files with fs.copyFile() without validating each child or rejecting symlinks. Because both APIs follow symlinks, a symlink nested inside an allowed source directory can point outside the allowed filesystem root and cause outside file contents to be copied into an allowed destination as a regular file. This vulnerability is fixed in 1.13.0.
CVSS 2.0
CVE-2026-47713 WRITEUP LOW WRITEUP
AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user -> multi-user migration even when the device record has userId = null. In multi-user mode, that stale token is still accepted by the mobile authentication middleware. Because no user is attached to the request, downstream mobile handlers fall back to unscoped data-access branches and return workspaces and workspace content without per-user filtering. This permits a pre-migration mobile token to enumerate a workspace assigned only to another user and retrieve victim-owned thread metadata and chat content in multi-user mode. This vulnerability is fixed in 1.13.0.
CVSS 2.0
CVE-2026-48116 WRITEUP HIGH WRITEUP
AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
CVSS 7.5
CVE-2026-42456 WRITEUP MEDIUM WRITEUP
AnythingLLM: Cross-User TTS Audio Disclosure via Chat ID (IDOR)
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, GET /api/workspace/:slug/tts/:chatId in AnythingLLM returns the text-to-speech audio for another user's chat response within the same workspace because the route validates workspace membership but does not enforce ownership of the targeted chat row. As a result, an authenticated user can access another user's private assistant response in audio form if the chatId is known or guessed. This constitutes an insecure direct object reference (IDOR) affecting private chat response content exposed through the TTS endpoint. This issue has been patched in version 1.12.1.
CVSS 4.3
CVE-2026-41318 WRITEUP MEDIUM WRITEUP
AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
CVSS 5.4
CVE-2026-5627 WRITEUP HIGH WRITEUP
Path Traversal in mintplex-labs/anything-llm
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.
CVSS 7.2
CVE-2026-32628 WRITEUP HIGH WRITEUP
AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
CVSS 8.8
CVE-2026-32715 WRITEUP LOW WRITEUP
AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
CVSS 3.8
CVE-2026-32717 WRITEUP LOW WRITEUP
AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
CVSS 2.7
CVE-2026-32719 WRITEUP MEDIUM WRITEUP
AnythingLLM <=1.11.1 Plugin Import - Zip Slip Code Execution
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
CVSS 4.2
CVE-2026-32626 WRITEUP CRITICAL WRITEUP
AnythingLLM Desktop <=1.11.1 - XSS to RCE
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().
CVSS 9.6
CVE-2023-4897 WRITEUP CRITICAL WRITEUP
mintplex-labs/anything-llm <0.0.1 - Path Traversal
Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
CVSS 9.8
CVE-2023-4898 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm <0.0.1 - Auth Bypass
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
CVSS 7.5
CVE-2023-4899 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm <0.0.1 - SQL Injection
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
CVSS 8.8
CVE-2023-5832 WRITEUP CRITICAL WRITEUP
AnythingLLM < 0.1.0 - Improper Input Validation
Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
CVSS 9.1
CVE-2023-5833 WRITEUP HIGH WRITEUP
AnythingLLM < 0.1.0 - Improper Access Control
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
CVSS 8.8
CVE-2024-0404 WRITEUP CRITICAL WRITEUP
Mintplex-Labs Anything-LLM - Privilege Escalation
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.
CVSS 9.1
CVE-2024-0435 WRITEUP MEDIUM WRITEUP
AnythingLLM - Stored Cross-Site Scripting in Chat Message Renderer
User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the minimum steps required to protect their instance.
CVSS 5.4
CVE-2024-0436 WRITEUP MEDIUM WRITEUP
AnythingLLM < 1.0.0 - Timing Attack via Password Comparison
Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison. The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute
CVSS 5.9
CVE-2024-0439 WRITEUP HIGH WRITEUP
AnythingLLM < 1.0.0 - Improper Privilege Management via HTTP Request
As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.
CVSS 8.8
CVE-2024-0440 WRITEUP MEDIUM WRITEUP
Mintplexlabs AnythingLLM - Server-Side Request Forgery
Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files.
CVSS 6.5
CVE-2024-0455 WRITEUP HIGH WRITEUP
AnythingLLM - Authenticated Server-Side Request Forgery via Web Scraper URL Parameter
The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.
CVSS 7.5
CVE-2024-0549 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm - Path Traversal
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.
CVSS 8.1
CVE-2024-0759 WRITEUP HIGH WRITEUP
AnythingLLM - Manager-Level Server-Side Request Forgery via Link Scraper
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced. There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
CVSS 7.5
CVE-2024-0763 WRITEUP HIGH WRITEUP
AnythingLLM < 1.0.0 - Authenticated Path Traversal and Arbitrary Folder Deletion
Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.
CVSS 8.1