CVE-2026-32626 in anything-llm정보

요약

\~에 의해 MITRE • 2026. 03. 16.

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().

Be aware that VulDB is the high quality source for vulnerability data.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

책임이 있는

GitHub M

예약하다

2026. 03. 12.

공개

2026. 03. 16.

모더레이션

수락

항목

VDB-351063

CPE

준비됨

CWE

CWE-79 (확인됨)

CVSS

9.6 (CNA)

EPSS

0.00092

KEV

아니요

활동

매우 낮음

출처

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-32626
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-32626
CVE Details	https://www.cvedetails.com/cve/CVE-2026-32626/

◂ 이전 개요 다음 ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!