EUVD-2026-12105

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS...

PT-2026-25378

Another example of the nodeIntegration: true / contextIsolation: false combination leading to a critical security vulnerability in a production Electron application. AnythingLLM Desktop is a popular local LLM + RAG tool. Their streaming chat renderer does not sanitise LLM output before DOM...

CVE-2025-69517

An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agentid parameter accepts up to 255 characters and is improperly sanitized...

Exploit for CVE-2024-54160

CVE-2024-54160-Opensearch-HTML-Injection + Stored XSS It w...

CVE-2024-53847

The Trix rich text editor, prior to versions 2.1.9 and 1.3.3, is vulnerable to cross-site scripting XSS + mutation XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's...

CVE-2024-53847 Trix vulnerable to Cross-site Scripting on copy & paste

The Trix rich text editor, prior to versions 2.1.9 and 1.3.3, is vulnerable to cross-site scripting XSS + mutation XSS attacks when pasting malicious code. An attacker could trick a user to copy and paste malicious code that would execute arbitrary JavaScript code within the context of the user's...