Plattform
javascript
Komponente
anything-llm
Behoben in
1.11.2
CVE-2026-32626 describes a critical Cross-Site Scripting (XSS) vulnerability within AnythingLLM Desktop, an application designed to provide context for Large Language Models (LLMs). This vulnerability escalates to Remote Code Execution (RCE) due to an insecure Electron configuration. Versions 1.11.1 and earlier are affected, and exploitation requires no user interaction beyond normal chat usage. A patch is expected to address this issue.
The impact of CVE-2026-32626 is severe. An attacker can leverage the XSS vulnerability to inject arbitrary JavaScript code into the AnythingLLM Desktop application. Due to the insecure Electron configuration, this injected code can then execute with the privileges of the application, leading to full Remote Code Execution on the host operating system. This allows an attacker to potentially steal sensitive data, install malware, or gain complete control of the affected system. The lack of user interaction required for exploitation significantly broadens the attack surface, making it a high-priority risk.
This vulnerability is considered high probability due to the ease of exploitation and the potential for Remote Code Execution. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's nature. The vulnerability was publicly disclosed on 2026-03-13. It is recommended to monitor CISA KEV listings for updates.
Users of AnythingLLM Desktop, particularly those handling sensitive data or operating in environments with limited security controls, are at significant risk. Shared hosting environments where multiple users share the same instance of AnythingLLM Desktop are also particularly vulnerable, as an attacker could potentially compromise the entire system.
• javascript / desktop:
Get-Process -Name AnythingLLM | Select-Object -ExpandProperty Path• javascript / desktop: Check for unusual JavaScript files or modifications within the AnythingLLM installation directory. • javascript / desktop: Monitor Electron process network activity for suspicious requests related to image rendering. • javascript / desktop: Examine the application's configuration files for any signs of tampering or unauthorized modifications.
disclosure
Exploit-Status
EPSS
0.05% (17% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32626 is to upgrade to a patched version of AnythingLLM Desktop. Until a patch is available, consider isolating instances of AnythingLLM Desktop from sensitive data and networks. As a temporary workaround, disabling the custom markdown-it image renderer (if possible) might reduce the attack surface, but this could impact functionality. Monitor network traffic for suspicious activity related to the application and review Electron security best practices for future development.
Aktualisieren Sie AnythingLLM auf eine Version, die neuer als 1.11.1 ist. Dies behebt die XSS-Schwachstelle, die zu Remote Code Execution führen kann. Das Update kann durchgeführt werden, indem die neueste Version von der offiziellen Website heruntergeladen oder der entsprechende Paketmanager verwendet wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32626 is a critical vulnerability in AnythingLLM Desktop versions up to 1.11.1 that allows attackers to execute code on the host system through an XSS flaw in the image rendering pipeline.
Yes, if you are using AnythingLLM Desktop version 1.11.1 or earlier, you are vulnerable to this RCE attack.
Upgrade to the latest version of AnythingLLM Desktop as soon as a patch is released. Until then, restrict usage and monitor for suspicious activity.
While active exploitation is not yet confirmed, the vulnerability's ease of exploitation suggests it is likely to be targeted soon. Monitor security advisories for updates.
Refer to the official AnythingLLM project website and security advisories for the latest information and patch releases.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.