Timothy Carambat

37 exploits Active since Sep 2023
CVE-2026-41318 WRITEUP MEDIUM WRITEUP
AnythingLLM < 1.12.1 - Stored DOM XSS in Chart Caption Renderer
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
CVSS 5.4
CVE-2026-5627 WRITEUP HIGH WRITEUP
Path Traversal in mintplex-labs/anything-llm
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in `server/utils/agentFlows/index.js`. Specifically, the combination of `path.join` and `normalizePath` allows attackers to bypass directory restrictions and access or delete arbitrary `.json` files on the server. This can lead to information disclosure, such as leaking sensitive configuration files containing API keys, or denial of service by deleting critical files like `package.json`. The issue is resolved in version 1.12.1.
CVSS 7.2
CVE-2026-32628 WRITEUP HIGH WRITEUP
AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
CVSS 8.8
CVE-2026-32715 WRITEUP LOW WRITEUP
AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admin only. Because of this inconsistency, a manager can call the generic endpoints directly to read plaintext SQL database credentials and overwrite admin-only global settings such as the default system prompt and the Community Hub API key.
CVSS 3.8
CVE-2026-32717 WRITEUP LOW WRITEUP
AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API key path. If a user already has a valid brx-... browser extension API key, that key continues to work after suspension. As a result, a suspended user can still access browser extension endpoints, read reachable workspace metadata, and continue upload or embed operations even though normal authenticated requests are rejected.
CVSS 2.7
CVE-2026-32719 WRITEUP MEDIUM WRITEUP
AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
CVSS 4.2
CVE-2026-32626 WRITEUP CRITICAL WRITEUP
AnythingLLM Desktop <=1.11.1 - XSS to RCE
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().
CVSS 9.6
CVE-2023-4897 WRITEUP CRITICAL WRITEUP
mintplex-labs/anything-llm <0.0.1 - Path Traversal
Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
CVSS 9.8
CVE-2023-4898 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm <0.0.1 - Auth Bypass
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
CVSS 7.5
CVE-2023-4899 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm <0.0.1 - SQL Injection
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
CVSS 8.8
CVE-2023-5832 WRITEUP CRITICAL WRITEUP
Mintplexlabs Anythingllm < 0.1.0 - Improper Input Validation
Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
CVSS 9.1
CVE-2023-5833 WRITEUP HIGH WRITEUP
Mintplexlabs Anythingllm < 0.1.0 - Improper Access Control
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
CVSS 8.8
CVE-2024-0404 WRITEUP CRITICAL WRITEUP
Mintplex-Labs Anything-LLM - Privilege Escalation
A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing unauthorized creation of high-privileged accounts. By intercepting and modifying the HTTP request during the account creation process via an invitation link, an attacker can add a `role` property with `admin` value, thereby gaining administrative access. This issue arises due to the lack of property allowlisting and blocklisting, enabling the attacker to exploit the system and perform actions as an administrator.
CVSS 9.1
CVE-2024-0435 WRITEUP MEDIUM WRITEUP
Mintplexlabs Anythingllm - XSS
User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the minimum requirement for a user to send a chat is to be given access to a workspace via an admin the risk is low. Additionally, the location in which the XSS renders is only limited to the user who submits the XSS. Ultimately, this attack is limited to the user attacking themselves. There is no anonymous chat submission unless the user does not take the minimum steps required to protect their instance.
CVSS 5.4
CVE-2024-0436 WRITEUP MEDIUM WRITEUP
Mintplexlabs Anythingllm < 1.0.0 - Information Disclosure
Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via a timing attack given the linear nature of the `!==` used for comparison. The risk is minified by the additional overhead of the request, which varies in a non-constant nature making the attack less reliable to execute
CVSS 5.9
CVE-2024-0439 WRITEUP HIGH WRITEUP
Mintplexlabs Anythingllm < 1.0.0 - Improper Privilege Management
As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since most managers would not be savvy enough to modify these settings. They can use their token to still modify those settings though through a standard HTTP request While this is not a critical vulnerability, it does indeed need to be patched to enforce the expected permission level.
CVSS 8.8
CVE-2024-0440 WRITEUP MEDIUM WRITEUP
Mintplexlabs AnythingLLM - Server-Side Request Forgery
Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then introspect host files and other relatively stored files.
CVSS 6.5
CVE-2024-0455 WRITEUP HIGH WRITEUP
AnythingLLC - Info Disclosure
The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in single user) could put in the URL ``` http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance ``` which is a special IP and URL that resolves only when the request comes from within an EC2 instance. This would allow the user to see the connection/secret credentials for their specific instance and be able to manage it regardless of who deployed it. The user would have to have pre-existing knowledge of the hosting infra which the target instance is deployed on, but if sent - would resolve if on EC2 and the proper `iptable` or firewall rule is not configured for their setup.
CVSS 7.5
CVE-2024-0549 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm - Path Traversal
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.
CVSS 8.1
CVE-2024-0759 WRITEUP HIGH WRITEUP
AnythingLLM - SSRF
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or admin, they could link-scrape internally resolving IPs of other services that are on the same network as AnythingLLM. This would require the attacker also be able to guess these internal IPs as `/*` ranging is not possible, but could be brute forced. There is a duty of care that other services on the same network would not be fully open and accessible via a simple CuRL with zero authentication as it is not possible to set headers or access via the link collector.
CVSS 7.5
CVE-2024-0763 WRITEUP HIGH WRITEUP
Path Traversal
Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The attacker would need access to the server at some privilege level since this endpoint is protected and requires authorization.
CVSS 8.1
CVE-2024-0795 WRITEUP HIGH WRITEUP
Unspecified - Privilege Escalation
If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the attacked from creating a new user with an `admin` role and then be able to use this new account to have elevated privileges on the instance
CVSS 7.2
CVE-2024-0798 WRITEUP MEDIUM WRITEUP
mintplex-labs/anything-llm - Privilege Escalation
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded by 'admin'. Despite the intended restriction that prevents 'default' role users from deleting admin-uploaded documents, an attacker can exploit this vulnerability by sending a crafted DELETE request to the /api/system/remove-document endpoint. This vulnerability is due to improper access control checks, enabling unauthorized document deletion and potentially leading to loss of data integrity.
CVSS 6.5
CVE-2024-13060 WRITEUP MEDIUM WRITEUP
AnythingLLM Docker <1.3.1 - Info Disclosure
A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. This issue is present in versions prior to 1.3.1.
CVSS 4.3
CVE-2024-3101 WRITEUP HIGH WRITEUP
mintplex-labs/anything-llm - Privilege Escalation
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating 'Multi-User Mode'. By sending a specially crafted curl request with the 'multi_user_mode' parameter set to false, an attacker can deactivate 'Multi-User Mode'. This action permits the creation of a new admin user without requiring a password, leading to unauthorized administrative access.
CVSS 7.2