CVE-2026-24478

Name of the Vulnerable Software and Affected Versions AnythingLLM versions prior to 1.10.0

Description AnythingLLM is an application that turns content into context for Large Language Models (LLMs). A critical Path Traversal issue exists in the DrupalWiki integration for versions prior to 1.10.0. This allows a malicious administrator, or an attacker who can manipulate an administrator into configuring a malicious DrupalWiki URL, to write arbitrary files to the server. This could lead to Remote Code Execution (RCE) through overwriting configuration files or writing executable scripts. The API endpoint involved is not explicitly mentioned. The vulnerable parameter is the DrupalWiki URL configured by the administrator, drupal wiki url.

Recommendations Versions prior to 1.10.0 should be updated to version 1.10.0 or later.