CVE-2026-32719

MEDIUM

AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import

Title source: cna

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.

References (2)

[X_Refsource_Confirm] https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m

[X_Refsource_Misc] https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c

View Writeup ZIP pw:eip

Scores

CVSS v3 4.2

EPSS 0.0005

EPSS Percentile 16.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-22 CWE-94

Status published

Products (2)

Mintplex-Labs/anything-llm <= 1.11.1

mintplexlabs/anythingllm < 1.11.1

Published Mar 16, 2026

Tracked Since Mar 16, 2026