📦 Anythingllm

This vulnerability allows unauthenticated attackers to import malicious database files into the anything-llm application, potentially deleting or spoofing the legitimate database. This could lead to d...

An improper authorization vulnerability in the mintplex-labs/anything-llm application allows unauthenticated users to perform destructive actions on the VectorDB, including resetting the database and ...

This CVE describes a mass assignment vulnerability in the Anything-LLM software that allows attackers to create administrative accounts by intercepting and modifying invitation requests. Any organizat...

This path traversal vulnerability in mintplex-labs/anything-llm allows attackers to read or delete files outside the intended directory by manipulating logo filenames. The vulnerability affects system...

CVE-2023-5832 is an improper input validation vulnerability in the Anything-LLM software that allows attackers to execute arbitrary code or cause denial of service. This affects all users running vers...

This vulnerability allows attackers to perform relative path traversal attacks in the Anything-LLM software, enabling unauthorized access to files outside the intended directory. It affects all users ...

A path traversal vulnerability in the normalizePath function of mintplex-labs/anything-llm allows attackers to read and write arbitrary files within the storage directory. This can lead to privilege e...

This vulnerability allows unauthenticated attackers to crash the Anything-LLM server by sending malformed JSON payloads to the embeddable chat API endpoint. It affects all systems running vulnerable v...

This vulnerability allows unauthenticated attackers to access the /setup-complete API endpoint in Anything-LLM version 1.5.5, exposing sensitive system settings including search engine API keys. Attac...

This vulnerability in anything-llm's single user mode exposes user passwords in plaintext within JWT bearer tokens. Attackers who obtain these tokens can decode them to steal credentials, affecting al...

This vulnerability in mintplex-labs/anything-llm allows attackers to cause a Denial of Service by creating users with excessively large usernames, which makes the user management panel unresponsive. T...

A path traversal vulnerability in mintplex-labs/anything-llm allows authenticated managers to bypass path normalization and access, delete, or overwrite critical files including the application databa...

This vulnerability allows users with Default or Manager roles in mintplex-labs/anything-llm to escalate their privileges to Administrator by exploiting improper input validation in the thread update e...

A stored XSS vulnerability in anything-llm allows attackers with manager role to inject malicious JavaScript via crafted URLs. When an admin clicks these links, their authorization token can be stolen...

CVE-2024-3152 affects mintplex-labs/anything-llm, allowing attackers to escalate privileges to admin, read/delete arbitrary files, and perform SSRF attacks via multiple endpoints with improper input v...

This SSRF vulnerability in mintplex-labs/anything-llm allows attackers to bypass IP filtering and access internal network resources by using alternative IP representations and localhost ports. It affe...

This vulnerability in mintplex-labs/anything-llm allows attackers to read and delete arbitrary files on the server by manipulating the 'logo_filename' parameter. Attackers can access sensitive files l...

This vulnerability in mintplex-labs/anything-llm allows attackers to disable Multi-User Mode via improper input validation, enabling them to create new admin accounts without passwords and gain unauth...

This vulnerability allows attackers with admin or manager roles in Anything LLM to create new admin users without proper backend authentication, enabling privilege escalation. It affects instances whe...

CVE-2024-0763 is a path traversal vulnerability in Anything-LLM that allows authenticated users to delete arbitrary folders recursively on the server. This affects all users of vulnerable versions who...

This vulnerability in AnythingLLM allows authenticated users with manager or admin permissions to discover and potentially access other internal services on the same network through link scraping. It ...

This CVE describes an improper privilege management vulnerability in Anything-LLM where managers can bypass UI restrictions and modify restricted settings using their authentication tokens via direct ...

This vulnerability in AnythingLLM's web scraper allows authorized users (managers, admins, or single users) to access AWS EC2 instance metadata service credentials by submitting a specific internal UR...

This vulnerability in AnythingLLM allows attackers to determine whether specific usernames exist in the system by observing different error messages from the password recovery endpoint. This enables u...

An authentication bypass vulnerability in AnythingLLM v1.8.5 allows unauthenticated attackers to enumerate and retrieve detailed information about all configured workspaces via the /api/workspaces end...

A Prisma injection vulnerability in mintplex-labs/anything-llm allows attackers to bypass access controls by sending specially crafted JSON to the /embed/:embedId/stream-chat API endpoint. This enable...

A denial-of-service vulnerability in Dockerized anything-llm allows attackers to crash the entire site instance by uploading an audio file with a very low sample rate (1 Hz). The localWhisper implemen...

An uncontrolled resource consumption vulnerability in the 'upload-link' endpoint of mintplex-labs/anything-llm allows authenticated users with Manager role or higher to cause denial of service by send...

A JSON injection vulnerability in the anything-llm application allows attackers to perform brute force attacks against the login system without knowing usernames. Once a password is known, attackers c...

A vulnerability in mintplex-labs/anything-llm allows authenticated users with manager or admin privileges to cause a denial of service by modifying a user's ID to 0, rendering the account permanently ...