DOM-based XSS Flaw in AnythingLLM Prior to Version 1.12.1
CVE-2026-41318

5.4MEDIUM

Key Information:

Vendor: Mintplex-labs
Status: Anything-llm
Vendor: CVE Published:; 24 April 2026

🔔 Create Mintplex-labs Vulnerability Alert

What is CVE-2026-41318?

The AnythingLLM application, which facilitates content referencing for large language models (LLMs), is susceptible to a DOM-based Cross-Site Scripting (XSS) vulnerability due to an unsafe custom rule in its markdown renderer. This issue, present in versions before 1.12.1, allows attackers to inject malicious scripts via chart captions rendered without proper HTML sanitization. If an attacker influences the LLM's output through indirect prompt injection or by creating a chart record in a shared workspace, it can lead to stored XSS attacks that affect all users accessing that conversation. This flaw is particularly concerning in multi-user environments, where one individual's input can compromise others' browser sessions. The vulnerability was addressed in version 1.12.1.

Affected Version(s)

anything-llm < 1.12.1

References

https://github.com/Mintplex-Labs/anything-llm/security/ad...

x_refsource_CONFIRM

https://github.com/Mintplex-Labs/anything-llm/commit/f5fa...

x_refsource_MISC

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 24, 2026
Vulnerability Reserved
Apr 20, 2026

CVE-2026-41318 Data

JSON