CVE-2026-32628

Name of the Vulnerable Software and Affected Versions AnythingLLM versions 1.11.1 and earlier

Description AnythingLLM is an application designed to provide context from content pieces for use with Large Language Models (LLMs). A SQL injection issue exists within the built-in SQL Agent plugin. This allows users who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in the MySQL, PostgreSQL, and MSSQL database connectors constructs SQL queries by directly concatenating the table name parameter without proper sanitization or parameterization.

Recommendations Versions prior to 1.11.1 should be updated.