CVE-2026-32719 MEDIUM

CVE-2026-32719: AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import

Vendor Mintplex-Labs
Product anything-llm
Weakness CWE-22 · Path traversal
Published March 13, 2026
Last update March 16, 2026

CVSS base score

4.2/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.

Key dates

02Disclosure timeline

March 13, 2026 CVE published
March 16, 2026 Record updated