Timothycarambat

**Name of the Vulnerable Software and Affected Versions** AnythingLLM versions 1.11.1 and earlier **Description** AnythingLLM is an application designed to provide context for Large Language Models (LLMs). The `ImportedPlugin.importCommunityItemFromUrl()` function, located in `server/utils/agents/imported.js`, downloads ZIP files from community hub URLs and extracts their contents using `AdmZip.extractAllTo()`. A lack of validation for file paths within the archive allows for a Zip Slip path traversal attack, potentially leading to arbitrary code execution. **Recommendations** Versions prior to 1.11.1 should be updated. As a temporary workaround, consider restricting the use of the `importCommunityItemFromUrl()` function until a patch is available.