CVE-2026-32628

UNKNOWN 0.0

AnythingLLM has SQL Injection in Built-in SQL Agent Plugin via Unsanitized table_name Parameter

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.

CWE	CWE-89
Vendor	mintplex-labs
Product	anything-llm
Published	Mar 13, 2026
Last Updated	Mar 16, 2026

Stay Ahead of the Next One

Get instant alerts for mintplex-labs anything-llm

Be the first to know when new unknown vulnerabilities affecting mintplex-labs anything-llm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Mintplex-Labs / anything-llm

<= 1.11.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7 github.com: https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e