CVE-2026-48116

Name of the Vulnerable Software and Affected Versions AnythingLLM versions prior to 1.13.0

Description The filesystem-search-files agent skill passes an LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. Because ripgrep parses any argument starting with - as an option, a pattern such as --pre=/bin/sh allows ripgrep to act as a script executor, running /bin/sh for every file processed. An attacker capable of chatting with an agent on a deployment where the filesystem plugin is enabled can combine this with the filesystem-write-text-file skill to execute arbitrary commands within the server container.

Recommendations Update to version 1.13.0. As a temporary mitigation, disable the filesystem plugin or restrict the use of the filesystem-search-files agent skill.