Description
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account to delete files and folders within the filesystem, including critical database files such as 'anythingllm.db'. The vulnerability stems from insufficient input validation and normalization in the handling of file and folder deletion requests. Successful exploitation results in the compromise of data integrity and availability.
References (2)
Core 2
Core References
Exploit, Third Party Advisory
https://huntr.com/bounties/fcb4001e-0290-4b78-a2f0-91ee5d20cc72
Scores
CVSS v3
8.1
EPSS
0.0082
EPSS Percentile
52.2%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-23
Status
published
Products (1)
mintplexlabs/anythingllm
< 1.0.0
Published
Apr 16, 2024
Tracked Since
Feb 18, 2026