CVE-2026-24478

HighPublic PoC

Published: 27 January 2026

Published

27 January 2026

Modified

28 January 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0023 45.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-24478 is a high-severity Path Traversal (CWE-22) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as Other AI Platforms.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SI-10 Information Input Validation

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing AnythingLLM web app directly enables exploitation (T1190); arbitrary file write facilitates web shell deployment for RCE (T1505.003).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker…

who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue.

Deeper analysisAI

CVE-2026-24478 is a critical path traversal vulnerability (CWE-22) affecting AnythingLLM, an application designed to convert pieces of content into context that large language models (LLMs) can reference during interactions. The flaw exists in the DrupalWiki integration prior to version 1.10.0, enabling attackers to write arbitrary files to the server. It carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-01-27.

The vulnerability can be exploited by a malicious administrator or by an attacker who tricks an admin into configuring a malicious DrupalWiki URL. Successful exploitation allows arbitrary file writes, which can escalate to remote code execution (RCE) through overwriting configuration files or deploying executable scripts on the server.

The GitHub security advisory at https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv details the issue, confirming that upgrading to AnythingLLM version 1.10.0 resolves the path traversal vulnerability in the DrupalWiki integration. Security practitioners should prioritize patching affected instances to prevent potential RCE.