Vulnerability Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Mintplexlabs | Anythingllm | <= 1.11.1 |
Related Weaknesses (CWE)
References
- https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2Patch
- https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74ExploitVendor AdvisoryMitigation
FAQ
What is CVE-2026-32719?
CVE-2026-32719 is a vulnerability with a CVSS score of 4.2 (MEDIUM). AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() funct...
How severe is CVE-2026-32719?
CVE-2026-32719 has been rated MEDIUM with a CVSS base score of 4.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32719?
Check the references section above for vendor advisories and patch information. Affected products include: Mintplexlabs Anythingllm.