CVE-2026-48789
AnythingLLM: Windows path containment bypass in document folder route
CVSS Score
4.3
EPSS Score
0.0%
EPSS Percentile
0th
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, on Windows, the document folder listing route can accept an encoded absolute Windows path that resolves outside the intended documents directory. The shared path containment helper rejects POSIX-style "../" traversal but does not reject Windows-style parent paths returned by path.relative(), such as "..". This vulnerability is fixed in 1.13.0.
| CWE | CWE-22 |
| Vendor | mintplex-labs |
| Product | anything-llm |
| Published | Jun 24, 2026 |
| Last Updated | Jun 24, 2026 |
Stay Ahead of the Next One
Get instant alerts for mintplex-labs anything-llm
Be the first to know when new medium vulnerabilities affecting mintplex-labs anything-llm are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
Affected Versions
Mintplex-Labs / anything-llm
< 1.13.0