Home / Vulnerability Intelligence / CVE-2026-32626

CVE-2026-32626 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 16, 2026

AnythingLLM Desktop - Stored XSS & Remote Code Execution

Published: March 16, 2026Updated: March 16, 2026Remote Exploitable

Overview

AnythingLLM Desktop <= 1.11.1 contains a stored XSS caused by improper sanitization in the chat rendering pipeline, letting attackers execute remote code on the host OS via insecure Electron configuration, exploit requires normal chat usage.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 15.3%(Probability of exploitation in next 30 days)

Impact

Attackers can execute remote code on the host OS, leading to full system compromise without user interaction beyond normal chat usage.

Mitigation

Update to a version later than 1.11.1 or apply proper sanitization and secure Electron configuration.

References

Social Media Activity(1 post)

Offensive Sequence

@offseq

Mar 14, 2026

🚨 CRITICAL: CVE-2026-32626 in AnythingLLM Desktop ≤1.11.1 lets attackers run code via XSS → RCE (CVSS 9.7). No patch yet. Restrict chat, harden Electron, sanitize input. High risk, act now! More: https://radar.offseq.com/threat/cve-2026-32626-cwe-79-improper-neutralization-of-i-a50f3d86 #OffSeq #XSS #RCE #InfoSec

View original post

Related Resources

Details

CVE ID: CVE-2026-32626
Severity: Critical
CVSS Score: 9.6
Type: stored_xss
Status: unconfirmed
EPSS: 15.3%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score

15.3%Probability of exploitation in the next 30 days