LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-5627

CVE-2026-5627 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 7, 2026

mintplex-labs/anything-llm - Path Traversal

Published: April 7, 2026Updated: April 7, 2026Remote Exploitable

Overview

mintplex-labs/anything-llm <= 1.9.1 contains a path traversal caused by improper input handling in AgentFlows component's loadFlow and deleteFlow methods, letting attackers access or delete arbitrary JSON files remotely, exploit requires no special privileges.

Severity & Score

Severity: Critical
CVSS Score: 9.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can disclose sensitive files or cause denial of service by deleting critical files.

Mitigation

Upgrade to version 1.12.1 or later.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Apr 7, 2026

šŸ”“ CVE-2026-5627 - Critical (9.1) A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-5627/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 7, 2026

šŸšØ CVE-2026-5627: Critical path traversal in mintplex-labs/anything-llm (<=1.9.1). Attackers with high privileges can access/delete sensitive .json files. Upgrade to 1.12.1. https://radar.offseq.com/threat/cve-2026-5627-cwe-29-path-traversal-filename-in-mi-9e476f7c #OffSeq #Vuln #PathTraversal #Security

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 7, 2026

šŸ”“ CVE-2026-5627 - Critical (9.1) A path traversal vulnerability exists in mintplex-labs/anything-llm versions up to and including 1.9.1, within the `AgentFlows` component. The vulnerability arises from improper handling of user input in the `loadFlow` and `deleteFlow` methods in ... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-5627/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 7, 2026

šŸšØ CVE-2026-5627: Critical path traversal in mintplex-labs/anything-llm (<=1.9.1). Attackers with high privileges can access/delete sensitive .json files. Upgrade to 1.12.1. https://radar.offseq.com/threat/cve-2026-5627-cwe-29-path-traversal-filename-in-mi-9e476f7c #OffSeq #Vuln #PathTraversal #Security

View original post

Related Resources

Details

CVE ID
CVE-2026-5627
Severity
Critical
CVSS Score
9.1
Type
path_traversal
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-29

CVSS Metrics

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days