CVE-2026-32719
- Source
- https://cve.org/CVERecord?id=CVE-2026-32719
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-32719.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-32719
- Aliases
-
- GHSA-rh66-4w74-cf4m
- Published
- 2026-03-13T21:25:31.682Z
- Modified
- 2026-04-10T05:42:27.339511Z
- Severity
-
- 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N CVSS Calculator
- Summary
- AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import
- Details
-
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-22", "CWE-94" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32719.json" }- References
-
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32719.json
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m
- https://nvd.nist.gov/vuln/detail/CVE-2026-32719
- https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c
Affected packages
Git / github.com/mintplex-labs/anything-llm
Affected ranges
- Type
- GIT
- Repo
- https://github.com/mintplex-labs/anything-llm
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed