CVE-2026-32626
Published: 16 March 2026
Summary
CVE-2026-32626 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 23.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires filtering and sanitization of chat output before rendering via dangerouslySetInnerHTML in PromptReply, directly addressing the lack of DOMPurify as in the fix.
Mandates input validation and HTML entity escaping for token.content in the markdown-it image renderer to block XSS payloads in alt attributes.
Enforces secure Electron configuration settings to prevent XSS exploitation from escalating to host OS remote code execution under default insecure settings.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in Electron desktop client directly enables client-side exploitation for code execution (T1203); resulting RCE on host OS facilitates arbitrary command execution via interpreters/shells (T1059).
NVD Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, AnythingLLM Desktop contains a Streaming Phase XSS vulnerability in the chat rendering pipeline that escalates to…
more
Remote Code Execution on the host OS due to insecure Electron configuration. This works with default settings and requires no user interaction beyond normal chat usage. The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component renders this output via dangerouslySetInnerHTML without DOMPurify sanitization — unlike HistoricalMessage which correctly applies DOMPurify.sanitize().
Deeper analysisAI
CVE-2026-32626 is a Streaming Phase XSS vulnerability (CWE-79) in the chat rendering pipeline of AnythingLLM Desktop versions 1.11.1 and earlier. AnythingLLM is an application that turns pieces of content into context for any LLM to use as references during chatting. The flaw originates in the custom markdown-it image renderer at frontend/src/utils/chat/markdown.js, which interpolates token.content directly into the alt attribute without HTML entity escaping. The PromptReply component then renders this output via dangerouslySetInnerHTML without DOMPurify sanitization, unlike the HistoricalMessage component which correctly applies it.
The vulnerability can be exploited remotely by unauthenticated attackers (AV:N/AC:L/PR:N) via normal chat usage with minimal user interaction (UI:R). A crafted message triggers XSS during the streaming phase, escalating to remote code execution on the host operating system due to insecure Electron configuration under default settings. This achieves high impacts across confidentiality, integrity, and availability (CVSS 9.6; CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) with a change in scope.
Mitigation details are provided in the GitHub security advisory GHSA-rrmw-2j6x-4mf2 and the fixing commit 9e2d144dc8be6fab29f560f5bcdaa9ef7dbb4214, which address the sanitization deficiencies in the rendering pipeline. Users should update AnythingLLM Desktop beyond version 1.11.1 to apply the patch.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm