Home / Vulnerability Intelligence / CVE-2026-32719

CVE-2026-32719 - Vulnerability Analysis

MediumCVSS: 4.2

Last Updated: March 16, 2026

AnythingLLM - Remote Code Execution

Published: March 16, 2026Updated: March 16, 2026PoC AvailableRemote Exploitable

Overview

AnythingLLM <= 1.11.1 contains a path traversal vulnerability caused by improper validation of file paths during ZIP extraction in ImportedPlugin.importCommunityItemFromUrl(), letting attackers execute arbitrary code remotely, exploit requires crafted ZIP archive.

Severity & Score

Severity: Medium

CVSS Score: 4.2

Impact

Attackers can execute arbitrary code remotely by exploiting path traversal in ZIP extraction, potentially compromising the server.

Mitigation

Update to a version later than 1.11.1 or the latest available version.

References

https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32719
Severity: Medium
CVSS Score: 4.2
Type: path_traversal
Status: confirmed

CWE

CWE-22

CVSS Metrics

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N