Mintplexlabs Anythingllm — known CVE vulnerabilities
Every CVE whose affected-product data names Mintplexlabs Anythingllm, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (67)
CVE-2024-3025 — CVSS 9.9 (critical): mintplex-labs/anything-llm is vulnerable to path traversal attacks due to insufficient validation of user-supplied input in the logo…
CVE-2024-3104 — CVSS 9.8 (critical): A remote code execution vulnerability exists in mintplex-labs/anything-llm due to improper handling of environment variables. Attackers can…
CVE-2026-32626 — CVSS 9.6 (critical): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2024-3033 — CVSS 9.4 (critical): An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint…
CVE-2024-0404 — CVSS 9.1 (critical): A mass assignment vulnerability exists in the `/api/invite/:code` endpoint of the mintplex-labs/anything-llm repository, allowing…
CVE-2024-3279 — CVSS 9.1 (critical): An improper access control vulnerability exists in the mintplex-labs/anything-llm application, specifically within the import endpoint…
CVE-2026-32628 — CVSS 8.8 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2024-3149 — CVSS 8.8 (high): A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. This feature, intended…
CVE-2024-3150 — CVSS 8.8 (high): In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to…
CVE-2024-3152 — CVSS 8.8 (high): mintplex-labs/anything-llm is vulnerable to multiple security issues due to improper input validation in several endpoints. An attacker can…
CVE-2024-0439 — CVSS 8.8 (high): As a manager, you should not be able to modify a series of settings. In the UI this is indeed hidden as a convenience for the role since…
CVE-2024-3110 — CVSS 8.7 (high): A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and…
CVE-2024-10109 — CVSS 8.3 (high): A vulnerability in the mintplex-labs/anything-llm repository, as of commit 5c40419, allows low privilege users to access the sensitive API…
CVE-2024-0763 — CVSS 8.1 (high): Any user can delete an arbitrary folder (recursively) on a remote server due to bad input sanitization leading to path traversal. The…
CVE-2024-0549 — CVSS 8.1 (high): mintplex-labs/anything-llm is vulnerable to a relative path traversal attack, allowing unauthorized attackers with a default role account…
CVE-2024-3029 — CVSS 8.0 (high): In mintplex-labs/anything-llm, an attacker can exploit improper input validation by sending a malformed JSON payload to the…
CVE-2024-7783 — CVSS 7.5 (high): mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly…
CVE-2024-22422 — CVSS 7.5 (high): AnythingLLM is an application that turns any document, resource, or piece of content into context that any LLM can use as references during…
CVE-2026-48116 — CVSS 7.5 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to…
CVE-2024-8249 — CVSS 7.5 (high): mintplex-labs/anything-llm version git 6dc3642 contains an unauthenticated Denial of Service (DoS) vulnerability in the API for the…
CVE-2024-4084 — CVSS 7.5 (high): A Server-Side Request Forgery (SSRF) vulnerability exists in the latest version of mintplex-labs/anything-llm, allowing attackers to bypass…
CVE-2024-5216 — CVSS 7.5 (high): A vulnerability in mintplex-labs/anything-llm allows for a Denial of Service (DoS) condition due to uncontrolled resource consumption…
CVE-2024-0455 — CVSS 7.5 (high): The inclusion of the web scraper for AnythingLLM means that any user with the proper authorization level (manager, admin, and when in…
CVE-2024-3569 — CVSS 7.5 (high): A Denial of Service (DoS) vulnerability exists in the mintplex-labs/anything-llm repository when the application is running in 'just me'…
CVE-2024-6842 — CVSS 7.5 (high): In version 1.5.5 of mintplex-labs/anything-llm, the `/setup-complete` API endpoint allows unauthorized users to access sensitive system…
CVE-2026-24477 — CVSS 7.5 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM…
CVE-2024-0759 — CVSS 7.5 (high): Should an instance of AnythingLLM be hosted on an internal network and the attacked be explicitly granted a permission level of manager or…
CVE-2024-10513 — CVSS 7.2 (high): A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version…
CVE-2024-4287 — CVSS 7.2 (high): In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. Specifically, the…
CVE-2024-0795 — CVSS 7.2 (high): If an attacked was given access to an instance with the admin or manager role there is no backend authentication that would prevent the…
CVE-2026-24478 — CVSS 7.2 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to…
CVE-2024-5211 — CVSS 7.2 (high): A path traversal vulnerability in mintplex-labs/anything-llm allowed a manager to bypass the `normalizePath()` function, intended to defend…
CVE-2026-5627 — CVSS 7.2 (high): A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component…
CVE-2024-3283 — CVSS 7.2 (high): A vulnerability in mintplex-labs/anything-llm allows users with manager roles to escalate their privileges to admin roles through a mass…
CVE-2024-3028 — CVSS 7.2 (high): mintplex-labs/anything-llm is vulnerable to improper input validation, allowing attackers to read and delete arbitrary files on the server…
CVE-2024-13059 — CVSS 7.2 (high): A vulnerability in mintplex-labs/anything-llm prior to version 1.3.1 allows for path traversal due to improper handling of non-ASCII…
CVE-2024-8248 — CVSS 7.2 (high): A vulnerability in the normalizePath function in mintplex-labs/anything-llm version git 296f041 allows for path traversal, leading to…
CVE-2024-3101 — CVSS 7.2 (high): In mintplex-labs/anything-llm, an improper input validation vulnerability allows attackers to escalate privileges by deactivating…
CVE-2024-0551 — CVSS 7.1 (high): Enable exports of the database and associated exported information of the system via the default user role. The attacked would have to have…
CVE-2026-32617 — CVSS 7.1 (high): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2024-5208 — CVSS 6.5 (medium): An uncontrolled resource consumption vulnerability exists in the `upload-link` endpoint of mintplex-labs/anything-llm. This vulnerability…
CVE-2024-0440 — CVSS 6.5 (medium): Attacker, with permission to submit a link or submits a link via POST to be collected that is using the file:// protocol can then…
CVE-2024-0550 — CVSS 6.5 (medium): A user who is privileged already `manager` or `admin` can set their profile picture via the frontend API using a relative filepath to then…
CVE-2024-0765 — CVSS 6.5 (medium): As a default user on a multi-user instance of AnythingLLM, you could execute a call to the `/export-data` endpoint of the system and then…
CVE-2024-0798 — CVSS 6.5 (medium): A privilege escalation vulnerability exists in mintplex-labs/anything-llm, allowing users with 'default' role to delete documents uploaded…
CVE-2024-2913 — CVSS 6.5 (medium): A race condition vulnerability exists in the mintplex-labs/anything-llm repository, specifically within the user invite acceptance process…
CVE-2024-3153 — CVSS 6.5 (medium): mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a…
CVE-2024-5213 — CVSS 6.5 (medium): In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in…
CVE-2024-7771 — CVSS 6.5 (medium): A vulnerability in the Dockerized version of mintplex-labs/anything-llm (latest, digest 1d9452da2b92) allows for a denial of service…
CVE-2024-0436 — CVSS 5.9 (medium): Theoretically, it would be possible for an attacker to brute-force the password for an instance in single-user password protection mode via…
CVE-2024-3570 — CVSS 5.4 (medium): A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing…
CVE-2024-0435 — CVSS 5.4 (medium): User can send a chat that contains an XSS opportunity that will then run when the chat is sent and on subsequent page loads. Given the…
CVE-2026-41318 — CVSS 5.4 (medium): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to…
CVE-2026-21484 — CVSS 5.3 (medium): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to commit…
CVE-2025-63390 — CVSS 5.3 (medium): An authentication bypass vulnerability exists in AnythingLLM v1.8.5 in via the /api/workspaces endpoint. The endpoint fails to implement…
CVE-2024-8251 — CVSS 5.3 (medium): A vulnerability in mintplex-labs/anything-llm prior to version 1.2.2 allows for Prisma injection. The issue exists in the API endpoint…
CVE-2024-3102 — CVSS 5.3 (medium): A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during…
CVE-2024-4284 — CVSS 4.9 (medium): A vulnerability in mintplex-labs/anything-llm allows for a denial of service (DoS) condition through the modification of a user's `id`…
CVE-2026-42456 — CVSS 4.3 (medium): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to…
CVE-2026-32719 — CVSS 4.2 (medium): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2026-32715 — CVSS 3.8 (low): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2026-32717 — CVSS 2.7 (low): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and…
CVE-2026-45403 — CVSS 2.0 (low): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to…
CVE-2026-47713 — CVSS 2.0 (low): AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to…