AnythingLLM Security

GHSA ID	CVE	Vulnerability	Severity	CVSS	Fixed Version	Published
GHSA-rrmw-2j6x-4mf2	CVE-2026-32626	XSS to RCE via LLM Response Injection	Critical	9.7	v1.11.2	Mar 13, 2026
GHSA-gm94-qc2p-xcwf	CVE-2026-24477	API key leak in systemSettings.js (Qdrant/Weaviate)	High	8.7	v1.10.0	Jan 24, 2026
GHSA-jp2f-99h9-7vjv	CVE-2026-24478	Path traversal in DrupalWiki (arbitrary file write/RCE)	High	7.2	v1.10.0	Jan 24, 2026
GHSA-jwjx-mw2p-5wc7	-	SQL Injection in SQL Agent Plugin (table_name parameter)	High	-	-	Mar 13, 2026
GHSA-24qj-pw4h-3jmm	CVE-2026-32617	Permissive CORS policy	High	-	-	Mar 12, 2026
GHSA-7hpg-6pc7-cx86	-	Ollama token leak in systemSettings.js (GHSL-2025-056)	High	-	-	May 7, 2025
GHSA-xmj6-g32r-fc5q	-	Unauthenticated DOS attack in file exports (EISDIR crash)	High	7.5	-	Jan 18, 2024
GHSA-2qmm-82f7-8qj5	-	IDOR Cross-User Chat Feedback Manipulation	Moderate	-	-	Mar 13, 2026
GHSA-rh66-4w74-cf4m	-	Zip Slip Path Traversal via Community Hub Plugin	Moderate	-	-	Mar 13, 2026
GHSA-p5rf-8p88-979c	CVE-2026-32628	Cross-Workspace IDOR in Parsed Files API	Moderate	-	-	Mar 13, 2026
GHSA-47vr-w3vm-69ch	-	Username Enumeration with Password Recovery	Moderate	5.3	-	Jan 2, 2026
GHSA-wfq3-65gm-3g2p	-	Manager Privilege Bypass (Admin-only System Preferences)	Low	-	-	Mar 13, 2026
GHSA-7754-8jcc-2rg3	CVE-2026-32717	Suspended Users API Key Access (Browser Extension)	Low	-	-	Mar 13, 2026

¶ AnythingLLM Security