criticalOther UnknownPublish anonymously

AnythingLLM Multiple CVEs

by Publish anonymously · 2 days agoviews 0en

PII protected

Personal information such as emails, phone numbers, IDs and access tokens are automatically masked before publication.

Multiple vulnerabilities in AnythingLLM Desktop v1.11.1 and earlier: CVE-2026-32626 (CVSS 9.7) streaming phase XSS to RCE via LLM response injection in Electron; CVE-2026-32719 Zip Slip path traversal in plugin imports leading to arbitrary code execution; CVE-2026-32617 authentication bypass exposing HTTP/WebSocket endpoints; CVE-2026-24477 Qdrant API key exposed in plaintext via `/api/setup-complete`.

External Source Attribution

This incident was imported from an external open database. Licensed under CC BY 4.0 or public domain. Original source details below.

Source: AI Incident Database (Open/Stanford License)

Awaiting official response

The official response from the AI provider for this incident.

Community Discussion

0

No comments yet. Start the discussion!

You must sign in to join the discussion.