Zip Slip Vulnerability in AnythingLLM Application by Mintplex Labs
CVE-2026-32719

4.2MEDIUM

Key Information:

Vendor: Mintplex-labs
Status: Anything-llm
Vendor: CVE Published:; 13 March 2026

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2026-32719?

The AnythingLLM application, developed by Mintplex Labs, suffers from a security vulnerability in versions 1.11.1 and earlier. The issue arises in the function ImportedPlugin.importCommunityItemFromUrl(), where a ZIP file download from a community hub URL is processed without proper validation of the file paths contained within the archive. This oversight enables attackers to exploit a Zip Slip path traversal vulnerability, potentially leading to arbitrary code execution in the environment where AnythingLLM is deployed.

Affected Version(s)

anything-llm <= 1.11.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...

x_refsource_CONFIRM

https://github.com/Mintplex-Labs/anything-llm/commit/6a49...

x_refsource_MISC

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 13, 2026
Vulnerability Reserved
Mar 13, 2026

CVE-2026-32719 Data

JSON