XSS Vulnerability in AnythingLLM Desktop by Mintplex Labs
CVE-2026-32626

9.7CRITICAL

Key Information:

Vendor

Mintplex-labs

Status
Anything-llm
Vendor
CVE Published:
13 March 2026

What is CVE-2026-32626?

CVE-2026-32626 identifies a Cross-Site Scripting (XSS) vulnerability in the AnythingLLM Desktop application developed by Mintplex Labs. AnythingLLM is designed to enhance conversations by providing relevant content context for large language models (LLMs). The vulnerability exists in versions 1.11.1 and earlier, where an insecure configuration of Electron leads to serious security risks. An attacker can exploit the XSS vulnerability in the chat rendering pipeline to execute arbitrary code on the host operating system. This security flaw arises because the application improperly interpolates user input into HTML attributes without sufficient sanitization, which can allow for the execution of potentially harmful scripts within the application's environment. Given that the vulnerability operates with the default settings and does not require any special user interaction beyond standard chat functions, it poses a significant threat to organizations using this application.

Potential impact of CVE-2026-32626

  1. Remote Code Execution: The primary risk associated with this vulnerability is the possibility of remote code execution on the user’s system. If exploited, attackers could take full control of the affected device, leading to unauthorized access to sensitive information and systems.

  2. Data Breaches: Exploitation can lead to data breaches as attackers obtain access to confidential information processed by the application. This could include sensitive corporate data, user credentials, or proprietary content, which could be leveraged for malicious purposes.

  3. Spread of Malware: The ability to execute arbitrary code can facilitate the installation of malware or create a gateway for further attacks within the corporate network. Compromised systems can become conduits for additional threats, potentially impacting the integrity and availability of organizational resources.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

anything-llm <= 1.11.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...
x_refsource_CONFIRM
https://github.com/Mintplex-Labs/anything-llm/commit/9e2d...
x_refsource_MISC

CVSS V3.1

Score:
9.7
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.