CVE-2026-48116
7.5 HIGHAnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting
Published: 2026-05-28 · Last updated: 2026-05-30
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- CWE
- CWE-77, CWE-88
Affected products
| Vendor | Product |
|---|---|
| mintplexlabs | anythingllm |
Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-48116
- [Patch]https://github.com/Mintplex-Labs/anything-llm/commit/94ed62d320df1a06c229e4bc3ee09c2cb5111b33
- [Vendor advisory]https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59
- [Vendor advisory]https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-6hrp-7mw6-8v59
Related CVEs
Same vendor
- CVE-2026-47713 — AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting (2.0 LOW)
- CVE-2026-45403 — AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting (2.0 LOW)
- CVE-2026-42456 — AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting (4.3 MEDIUM)
Same CWE
- CVE-2026-46529 — Atril Document Viewer is the default document reader of the MATE desktop environment for Linux
- CVE-2026-53694 — Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in Nomachine allows Argument Injection.T...
- CVE-2026-45558 — Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers (9.9 CRITICAL)
- CVE-2026-52750 — Ghidra before 12.1 contains a command injection vulnerability in URL annotation handling on Windows where cmd.exe metacharacters are not ... (7.8 HIGH)
- CVE-2026-11572 — Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation ... (8.8 HIGH)