AnythingLLM is a self-hosted, full-stack AI application developed by Mintplex Labs that combines document chat, AI agents, and configurable model backends in a single interface.
AnythingLLM (v1.11.1) is one of the most popular open-source RAG platforms with over 56,000 GitHub stars. It supports multiple LLMs and vector stores, making it ideal for internal knowledge bases and private RAG deployments.
GitHub: Mintplex-Labs/anything-llm
AnythingLLM is built primarily in JavaScript (98.2%) and CSS (1.5%), with a focus on ease of deployment and use.
AnythingLLM has disclosed 13 security advisories from January 2024 to March 2026. The most critical issues were addressed in v1.10.0.
| GHSA ID | CVE | Vulnerability | Severity | CVSS | Fixed | Published |
|---|---|---|---|---|---|---|
| GHSA-rrmw-2j6x-4mf2 | CVE-2026-32626 | XSS to RCE via LLM Response Injection | Critical | 9.7 | v1.11.2 | Mar 13, 2026 |
| GHSA-jwjx-mw2p-5wc7 | - | SQL Injection in SQL Agent Plugin | High | - | - | Mar 13, 2026 |
| GHSA-24qj-pw4h-3jmm | CVE-2026-32617 | Permissive CORS policy | High | - | - | Mar 12, 2026 |
| GHSA-2qmm-82f7-8qj5 | - | IDOR Cross-User Chat Feedback | Moderate | - | - | Mar 13, 2026 |
| GHSA-rh66-4w74-cf4m | - | Zip Slip Path Traversal | Moderate | - | - | Mar 13, 2026 |
| GHSA-p5rf-8p88-979c | CVE-2026-32628 | Cross-Workspace IDOR | Moderate | - | - | Mar 13, 2026 |
| GHSA-wfq3-65gm-3g2p | - | Manager Privilege Bypass | Low | - | - | Mar 13, 2026 |
| GHSA-7754-8jcc-2rg3 | CVE-2026-32717 | Suspended Users API Key Access | Low | - | - | Mar 13, 2026 |
| GHSA ID | CVE | Vulnerability | Severity | Fixed |
|---|---|---|---|---|
| GHSA-gm94-qc2p-xcwf | CVE-2026-24477 | API key leak in systemSettings.js | High (8.7) | v1.10.0 |
| GHSA-jp2f-99h9-7vjv | CVE-2026-24478 | Path traversal in DrupalWiki | High (7.2) | v1.10.0 |
| GHSA-47vr-w3vm-69ch | - | Username Enumeration | Moderate (5.3) | - |
| GHSA ID | Vulnerability | Severity | Published |
|---|---|---|---|
| GHSA-7hpg-6pc7-cx86 | Ollama token leak (GHSL-2025-056) | High | May 7, 2025 |
| GHSA-xmj6-g32r-fc5q | Unauthenticated DOS attack | High (7.5) | Jan 18, 2024 |
Recommendation: Always run the latest version (v1.11.1 or newer). Monitor GitHub Security Advisories for updates.
AnythingLLM is a mature platform for self-hosted AI applications with:
AnythingLLM is released under the MIT License:
| Attribute | Details |
|---|---|
| Developer | Mintplex Labs |
| License | MIT |
| GitHub | github.com/Mintplex-Labs/anything-llm |
| Stars | 56.6k+ |
| Forks | 6.1k+ |
| Latest Release | v1.11.2 (March 18, 2026) |
| Website | anythingllm.com |
| Docker Hub | mintplexlabs/anythingllm |
| Security Advisories | 13 disclosed (Jan 2024 - Mar 2026) |