Home/Product/mintplexlabs anythingllm
Product

mintplexlabs anythingllm

66 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-42456
< 1.12.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior
4.3MEDIUM
 CVE-2026-41318
< 1.12.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior
5.4MEDIUM
 CVE-2026-5627
<= 1.9.1
A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the AgentFlows co
7.2HIGH
 CVE-2026-32719
<= 1.11.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.1
4.2MEDIUM
 CVE-2026-32717
<= 1.11.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.1
2.7LOW
 CVE-2026-32715
<= 1.11.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.1
3.8LOW
 CVE-2026-32628
<= 1.11.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.1
8.8HIGH
 CVE-2026-32626
<= 1.11.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.1
9.6CRITICAL
 CVE-2026-32617
<= 1.11.1
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.1
7.1HIGH
 CVE-2026-24478
< 1.10.0
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior
7.2HIGH
 CVE-2026-24477
< 1.10.0
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If Any
7.5HIGH
 CVE-2026-21484
< 1.10.0
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior
5.3MEDIUM
 CVE-2025-63390
all versions
An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to imp
5.3MEDIUM
 CVE-2024-8251
< 1.2.2
A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endp
5.3MEDIUM
 CVE-2024-8249
< 1.2.2
mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service (DoS) vulnerability in the API for th
7.5HIGH
 CVE-2024-8248
< 1.2.2
A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading
7.2HIGH
 CVE-2024-7771
< 1.3.1
A vulnerability in the Dockerized version of mintplex-labs/anything-llm (latest, digest 1d9452da2b92) allows for a denial of servi
6.5MEDIUM
 CVE-2024-6842
all versions
In version 1.5.5 of mintplex-labs/anything-llm, the /setup-complete API endpoint allows unauthorized users to access sensitive s
7.5HIGH
 CVE-2024-10513
< 1.2.2
A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the lates
7.2HIGH
 CVE-2024-10109
< 1.3.1
A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensi
8.3HIGH
 CVE-2024-13059
< 1.3.1
A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASC
7.2HIGH
 CVE-2024-7783
< 1.2.1
mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improp
7.5HIGH
 CVE-2024-3279
< 1.0.0
An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endp
9.1CRITICAL
 CVE-2024-5216
< 1.0.0
A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumpt
7.5HIGH
 CVE-2024-5213
<= 1.5.3
In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is ret
6.5MEDIUM
 CVE-2024-5208
< 1.0.0
An uncontrolled resource consumption vulnerability exists in the upload-link endpoint of mintplex-labs/anything-llm. This vulner
6.5MEDIUM
 CVE-2024-5211
< 1.0.0
A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the normalizePath() function, intended
7.2HIGH
 CVE-2024-3153
< 1.0.0
mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading
6.5MEDIUM
 CVE-2024-3150
< 1.0.0
In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles
8.8HIGH
 CVE-2024-3149
< 1.0.0
A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature,
8.8HIGH
 CVE-2024-3110
< 1.0.0
A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to a
8.7HIGH
 CVE-2024-3102
< 1.0.0
A JSON Injection vulnerability exists in the mintplex-labs/anything-llm application, specifically within the username parameter
5.3MEDIUM
 CVE-2024-3152
< 1.0.0
mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An att
8.8HIGH
 CVE-2024-3104
< 1.0.0
A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Atta
9.8CRITICAL
 CVE-2024-3033
< 1.0.0
An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' en
9.4CRITICAL
 CVE-2024-4084
<= 1.5.4
A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers
7.5HIGH
 CVE-2024-4287
< 1.0.0
In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifical
7.2HIGH
 CVE-2024-4284
< 1.0.0
A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's
4.9MEDIUM
 CVE-2024-2913
<= 1.0.0
A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance
6.5MEDIUM
 CVE-2024-3029
< 1.0.0
In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the '/syst
8.0HIGH
 CVE-2024-3028
< 1.0.0
mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on th
7.2HIGH
 CVE-2024-0549
< 1.0.0
mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role
8.1HIGH
 CVE-2024-0404
< 1.0.0
A mass assignment vulnerability exists in the /api/invite/:code endpoint of the mintplex-labs/anything-llm repository, allowing
9.1CRITICAL
 CVE-2024-3570
< 1.0.0
A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, a
5.4MEDIUM
 CVE-2024-3569
< 1.0.0
A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'ju
7.5HIGH
 CVE-2024-3283
< 1.0.0
A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through
7.2HIGH
 CVE-2024-3101
< 1.0.0
In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating
7.2HIGH
 CVE-2024-3025
< 1.0.0
mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the lo
9.9CRITICAL
 CVE-2024-0765
< 1.0.0
As a default user on a multi-user instance of AnythingLLM, you could execute a call to the /export-data endpoint of the system a
6.5MEDIUM
 CVE-2024-0795
< 1.0.0
If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would preven
7.2HIGH
 CVE-2024-0550
< 1.0.0
A user who is privileged already manager or admin can set their profile picture via the frontend API using a relative filepath
6.5MEDIUM
 CVE-2024-0763
< 1.0.0
Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal.
8.1HIGH
 CVE-2024-0551
< 1.0.0
Enable exports of the database and associated exported information of the system via the default user role. The attacked would hav
7.1HIGH
 CVE-2024-0759
< 1.0.0
Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of ma
7.5HIGH
 CVE-2024-0798
all versions
A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents
6.5MEDIUM
 CVE-2024-0455
all versions
The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when
7.5HIGH
 CVE-2024-0440
all versions
Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then
6.5MEDIUM
 CVE-2024-0439
< 1.0.0
As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role
8.8HIGH
 CVE-2024-0436
< 1.0.0
Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection
5.9MEDIUM
 CVE-2024-0435
all versions
User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Give
5.4MEDIUM
 CVE-2024-22422
< 2024-01-18
AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as referenc
7.5HIGH
 CVE-2023-5833
< 0.1.0
Improper Access Control in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
8.8HIGH
 CVE-2023-5832
< 0.1.0
Improper Input Validation in GitHub repository mintplex-labs/anything-llm prior to 0.1.0.
9.1CRITICAL
 CVE-2023-4899
< 0.0.1
SQL Injection in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
8.8HIGH
 CVE-2023-4898
< 0.0.1
Authentication Bypass by Primary Weakness in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
7.5HIGH
 CVE-2023-4897
< 0.0.1
Relative Path Traversal in GitHub repository mintplex-labs/anything-llm prior to 0.0.1.
9.8CRITICAL
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin