8 matches found
EUVD-2026-39009
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow...
PT-2026-52036
Name of the Vulnerable Software and Affected Versions AnythingLLM versions 1.11.1 through 1.14.0 Description An issue exists where the application fails to perform ownership checks when deleting parsed files. Specifically, the 'POST /api/workspace/:slug/embed-parsed-file/:fileId' endpoint deletes...
EUVD-2026-19637
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...
CVE-2026-5627 Path Traversal in mintplex-labs/anything-llm
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...
CVE-2026-5627 Path Traversal in mintplex-labs/anything-llm
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows component. The vulnerability arises from improper handling of user input in the loadFlow and deleteFlow methods in server/utils/agentFlows/index.js. Specifically, the...
CVE-2026-5627
The CVE-2026-5627 issue affects mintplex-labs/anything-llm up to version 1.9.1, specifically in the AgentFlows component. The vulnerability stems from improper handling of user input in loadFlow and deleteFlow (server/utils/agentFlows/index.js), where path.join combined with normalizePath can byp...
Langflow: Authenticated Users Can Read, Modify, and Delete Any Flow via Missing Ownership Check
Vulnerability IDOR in GET/PATCH/DELETE /api/v1/flow/flowid The readflow helper in src/backend/base/langflow/api/v1/flows.py branched on the AUTOLOGIN setting to decide whether to filter by userid. When AUTOLOGIN was False i.e., authentication was enabled, neither branch enforced an ownership chec...
EUVD-2021-24817
Malware in sbrugna...