CVE-2026-32719

Name of the Vulnerable Software and Affected Versions AnythingLLM versions 1.11.1 and earlier

Description AnythingLLM is an application designed to provide context for Large Language Models (LLMs). The ImportedPlugin.importCommunityItemFromUrl() function, located in server/utils/agents/imported.js, downloads ZIP files from community hub URLs and extracts their contents using AdmZip.extractAllTo(). A lack of validation for file paths within the archive allows for a Zip Slip path traversal attack, potentially leading to arbitrary code execution.

Recommendations Versions prior to 1.11.1 should be updated. As a temporary workaround, consider restricting the use of the importCommunityItemFromUrl() function until a patch is available.