CVE-2026-32628 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 16, 2026
AnythingLLM - SQL Injection
Overview
AnythingLLM <= 1.11.1 contains a SQL injection caused by unsanitized concatenation of the table_name parameter in getTableSchemaSql() method of SQL Agent plugin, letting any user invoking the agent execute arbitrary SQL commands.
Severity & Score
Impact
Any user invoking the SQL Agent plugin can execute arbitrary SQL commands on connected databases, potentially leading to data compromise or manipulation.
Mitigation
Update to a version later than 1.11.1.
References
Social Media Activity(2 posts)
š CVE-2026-32628 - High (8.8) AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the ag... š https://www.thehackerwire.com/vulnerability/CVE-2026-32628/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-32628 - High (8.8) AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the ag... š https://www.thehackerwire.com/vulnerability/CVE-2026-32628/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-32628
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- confirmed
- EPSS
- 3.0%
- Social Posts
- 2
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H