Lucene search
+L

204 matches found

NVD
NVD
added 2026/06/24 6:17 p.m.12 views

CVE-2026-55611

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow...

0.00236EPSS
Exploits0References3
NVD
NVD
added 2026/06/24 6:17 p.m.10 views

CVE-2026-48789

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared...

4.3CVSS0.00231EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/24 5:17 p.m.8 views

EUVD-2026-39009

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow...

5.9AI score0.00236EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 5:17 p.m.2 views

CVE-2026-55611 AnythingLLM: embed-parsed-file cleanup deletes any parsed file by ID without ownership scoping (cross-tenant IDOR deletion)

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow...

6AI score0.00236EPSS
Exploits0References5
ATTACKERKB
ATTACKERKB
added 2026/06/24 5:13 p.m.6 views

CVE-2026-48789

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared...

4.3CVSS5.9AI score0.00231EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/24 5:13 p.m.15 views

CVE-2026-48789

CVE-2026-48789 affects AnythingLLM on Windows prior to version 1.13.0. The document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared path containment helper rejects POSIX-style "../" traversal but does not reject W...

4.3CVSS5.9AI score0.00231EPSS
Exploits0References1
OSV
OSV
added 2026/06/24 5:13 p.m.4 views

CVE-2026-48789 AnythingLLM: Windows path containment bypass in document folder route

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared...

4.3CVSS6AI score0.00231EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-45403

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child...

2.5CVSS5.4AI score0.00193EPSS
Exploits1References1
NVD
NVD
added 2026/05/28 10:17 p.m.21 views

CVE-2026-48116

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separato...

8.8CVSS0.00366EPSS
Exploits1References2
NVD
NVD
added 2026/05/28 10:17 p.m.20 views

CVE-2026-45403

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child...

2.5CVSS0.00193EPSS
Exploits1References2
CVE
CVE
added 2026/05/28 9:20 p.m.41 views

CVE-2026-47713

Summary of CVE-2026-47713 : AnythingLLM prior to version 1.13.0 allowed a mobile device token created in single-user mode to survive the migration to multi-user mode without an attached user. In multi-user mode, the mobile authentication middleware accepted this token, causing downstream handlers...

4.3CVSS5.8AI score0.00219EPSS
Exploits1References2Affected Software1
Cvelist
Cvelist
added 2026/05/28 9:20 p.m.37 views

CVE-2026-47713 AnythingLLM: Legacy mobile device tokens bypass multi-user workspace scoping after mode migration

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, an approved mobile device token created in single-user mode can survive single-user - multi-user migration even when the device record has userId = null. In...

2CVSS0.00219EPSS
Exploits1References2
EUVD
EUVD
added 2026/05/28 9:19 p.m.14 views

EUVD-2026-33068

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separato...

7.5CVSS6AI score0.00366EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/28 9:19 p.m.17 views

CVE-2026-48116 AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separato...

7.5CVSS6AI score0.00366EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/28 9:19 p.m.59 views

CVE-2026-48116 AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separato...

7.5CVSS0.00366EPSS
Exploits1References2
CVE
CVE
added 2026/05/28 9:19 p.m.38 views

CVE-2026-48116

AnythingLLM CVE-2026-48116: Prior to 1.13.0, the filesystem-search-files agent passes a user-controlled pattern to ripgrep as a positional argument without a -- end-of-options separator. ripgrep interprets arguments starting with - as options, so a pattern like --pre=/bin/sh can execute /bin/sh f...

8.8CVSS6AI score0.00366EPSS
Exploits1References2Affected Software1
OSV
OSV
added 2026/05/28 9:19 p.m.5 views

CVE-2026-48116 AnythingLLM: RCE via ripgrep --pre argument injection in filesystem-search-files agent skill

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separato...

7.5CVSS6.1AI score0.00366EPSS
Exploits1References4
EUVD
EUVD
added 2026/05/28 9:18 p.m.15 views

EUVD-2026-33067

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child...

2CVSS5.8AI score0.00193EPSS
Exploits1References2
Cvelist
Cvelist
added 2026/05/28 9:18 p.m.36 views

CVE-2026-45403 AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child...

2CVSS0.00193EPSS
Exploits1References2
Vulnrichment
Vulnrichment
added 2026/05/28 9:18 p.m.10 views

CVE-2026-45403 AnythingLLM: filesystem-copy-file follows nested symlinks and copies files from outside the allowed directory

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the AnythingLLM agent filesystem copy tool validates only the top-level source and destination paths. The recursive copy helper then descends into child...

2CVSS5.8AI score0.00193EPSS
Exploits1References2
Rows per page
Query Builder