Lucene search
K

198 matches found

EUVD
EUVD
added 2026/03/13 9:23 p.m.5 views

EUVD-2026-12176

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/03/13 9:23 p.m.4 views

CVE-2026-32717 AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/13 9:23 p.m.32 views

CVE-2026-32717 AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS0.00231EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/13 9:23 p.m.6 views

CVE-2026-32717

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/13 9:23 p.m.7 views

CVE-2026-32717 AnythingLLM access control bypass: suspended users can continue using Browser Extension API keys

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, in multi-user mode, AnythingLLM blocks suspended users on the normal JWT-backed session path, but it does not block them on the browser extension API...

2.7CVSS5.8AI score0.00231EPSS
Exploits1References4
Vulnrichment
Vulnrichment
added 2026/03/13 9:22 p.m.2 views

CVE-2026-32715 AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

3.8CVSS5.8AI score0.00198EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/13 9:22 p.m.2 views

CVE-2026-32715

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

3.8CVSS5.8AI score0.00198EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/03/13 9:22 p.m.21 views

CVE-2026-32715

CVE-2026-32715 | AnythingLLM in versions up to 1.11.1 has a privilege bypass where two generic system-preferences endpoints expose manager-level access, bypassing admin-only restrictions. This allows a manager to read plaintext SQL database credentials and overwrite admin-only global settings (e....

3.8CVSS5.8AI score0.00198EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/03/13 9:22 p.m.30 views

CVE-2026-32715 AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

3.8CVSS0.00198EPSS
Exploits1References2
EUVD
EUVD
added 2026/03/13 9:22 p.m.5 views

EUVD-2026-12175

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

3.8CVSS5.8AI score0.00198EPSS
Exploits1References2
OSV
OSV
added 2026/03/13 9:22 p.m.7 views

CVE-2026-32715 AnythingLLM Manager Privilege Bypass Allows Access to Admin-Only System Preferences

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The two generic system-preferences endpoints allow manager role access, while every other surface that touches the same settings is restricted to admi...

3.8CVSS5.8AI score0.00198EPSS
Exploits1References4
EUVD
EUVD
added 2026/03/13 8:50 p.m.9 views

EUVD-2026-12138

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...

7.7CVSS6.2AI score0.00299EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/03/13 8:50 p.m.31 views

CVE-2026-32628 AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...

7.7CVSS0.00299EPSS
Exploits1References2
CVE
CVE
added 2026/03/13 8:50 p.m.21 views

CVE-2026-32628

AnythingLLM has a SQL injection in the built‑in SQL Agent plugin (v1.11.1 and earlier) allowing a user who can invoke the agent to run arbitrary SQL on connected databases. The vulnerability stems from getTableSchemaSql() building queries via direct string concatenation of the table_name paramete...

8.8CVSS6.2AI score0.00299EPSS
Exploits1References2Affected Software1
ATTACKERKB
ATTACKERKB
added 2026/03/13 8:50 p.m.2 views

CVE-2026-32628

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...

7.7CVSS6.2AI score0.00299EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/03/13 8:50 p.m.3 views

CVE-2026-32628 AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected...

7.7CVSS6.2AI score0.00299EPSS
Exploits1References4
Cvelist
Cvelist
added 2026/03/13 8:14 p.m.48 views

CVE-2026-32626 AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS...

9.6CVSS0.00721EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/03/13 8:14 p.m.4 views

CVE-2026-32626

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS...

9.6CVSS5.9AI score0.00721EPSS
Exploits1References3Affected Software1
Vulnrichment
Vulnrichment
added 2026/03/13 8:14 p.m.6 views

CVE-2026-32626 AnythingLLM has a Streaming Phase XSS to RCE via LLM Response Injection

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS...

9.6CVSS5.9AI score0.00721EPSS
Exploits1References2
CVE
CVE
added 2026/03/13 8:14 p.m.23 views

CVE-2026-32626

CVE-2026-32626 affects AnythingLLM Desktop (1.11.1 and earlier). The root cause is in the chat rendering pipeline where user-provided content is interpolated into the alt attribute of an image in frontend/src/utils/chat/markdown.js without HTML entity escaping, combined with rendering the output ...

9.6CVSS5.9AI score0.00721EPSS
Exploits1References2Affected Software1
Rows per page
Query Builder