CVE-2026-32719

AnythingLLM has a Zip Slip Path Traversal and Code Execution via Community Hub Plugin Import

Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, The ImportedPlugin.importCommunityItemFromUrl() function in server/utils/agents/imported.js downloads a ZIP file from a community hub URL and extracts it using AdmZip.extractAllTo() without validating file paths within the archive. This enables a Zip Slip path traversal attack that can lead to arbitrary code execution.

INFO

Published Date :

2026-03-13T21:25:31.682Z

Last Modified :

2026-03-16T16:44:38.247Z

Source :

GitHub_M

AFFECTED PRODUCTS

The following products are affected by CVE-2026-32719 vulnerability.

Vendors	Products
Mintplexlabs	Anything-llm Anythingllm

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-32719.

URL	Resource
https://github.com/Mintplex-Labs/anything-llm/commit/6a492f038da195a5c9a239d5ca2e9f2151c25f8c
https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rh66-4w74-cf4m

CVSS Vulnerability Scoring System

V3.1

Detailed values of each vector for above chart.

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality Impact

Integrity Impact

Availability Impact