CVE-2026-48789

CVSS Score & Metrics

Base Score

4.3 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N                                    

Vulnerability Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared path containment helper rejects POSIX-style "../" traversal but does not reject Windows-style parent paths returned by path.relative(), such as "..". This vulnerability is fixed in 1.13.0.

Vulnerability Details

Published Date

June 24, 2026

Last Modified

June 24, 2026

CWE ID

CWE-22

Source

NVD

Vendor

Mintplex-Labs

Product

anything-llm

External References

https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-j4m9-wwcq-m868

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment