Detections
Analytics

CVE-2026-32719

medium

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.

References

https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m

https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c

Details

Source: Mitre, NVD

Published: 2026-03-13

Risk Information

CVSS v2

Base Score: 4.6

Vector: CVSS2#AV:N/AC:H/Au:M/C:N/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 4.2

Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

Severity: Medium

EPSS

EPSS: 0.00038