CVE-2026-32626:

AnythingLLM Desktop versions 1.11.1 and earlier contain a Streaming Phase XSS vulnerability that can lead to Remote Code Execution on the host OS due to insecure Electron configuration.

Score
A numerical rating that indicates how dangerous this vulnerability is.

9.6Critical

Published Date:Mar 14, 2026
CISA KEV Date:*No Data*
Industries Affected:20

Threat Predictions

EPSS Score:0.2
EPSS Percentile:36%

Exploitability

Score:2.8
Attack Vector:NETWORK
Attack Complexity:LOW
Privileges Required:NONE
User Interaction:REQUIRED
Scope:CHANGED

Impact

Score:6.0
Confidentiality Impact:HIGH
Integrity Impact:HIGH
Availability Impact:HIGH

Description Preview

AnythingLLM Desktop versions 1.11.1 and earlier contain a Streaming Phase XSS vulnerability that can lead to Remote Code Execution on the host OS due to insecure Electron configuration.

Overview

The vulnerability in AnythingLLM Desktop is classified as critical with a CVSS v3.1 base score of 9.6. It allows for remote code execution through a cross-site scripting attack vector. The attack complexity is low, requires no privileges, and only needs user interaction in the form of normal chat usage. The impact of this vulnerability is severe, potentially compromising the confidentiality, integrity, and availability of the affected system. The weakness is categorized as CWE-79, which relates to improper neutralization of input during web page generation. This vulnerability affects all versions of AnythingLLM up to and including version 1.11.1.

Remediation

To address this vulnerability, users should immediately update AnythingLLM to a version newer than 1.11.1. The developers have released a patch to fix the issue, which can be found in the GitHub commit referenced below. Organizations using AnythingLLM should prioritize this update to mitigate the risk of potential attacks. Additionally, it is recommended to review and enhance security practices around input sanitization and the use of dangerous HTML rendering methods in Electron applications.