CVE-2026-32719
MEDIUMAnythingLLM <=1.11.1 Plugin Import - Zip Slip Code Execution
Title source: manualDescription
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m
X_Refsource_Misc x_refsource_misc
https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c
Scores
CVSS v3
4.2
EPSS
0.0039
EPSS Percentile
30.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-22
CWE-94
Status
published
Products (2)
Mintplex-Labs/anything-llm
<= 1.11.1
mintplexlabs/anythingllm
< 1.11.1
Published
Mar 16, 2026
Tracked Since
Mar 16, 2026