Cyber Resilience

CVE-2026-48116

HighPublic PoCRCEUpdated

Published: 28 May 2026

Published
28 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0037 28.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-48116 is a high-severity Command Injection (CWE-77) vulnerability in Mintplexlabs Anythingllm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 28.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as LLM Application Platforms; in the LLM/Generative AI Risks risk domain.

OWASP Top 10 for Web (2025)

EU & UK References

No EU or UK CSIRT advisories indexed for this CVE.

Vulnerability details

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a…

more

-- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.

CWE(s)

AI Security AnalysisAI

AI Category
LLM Application Platforms
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: anythingllm, llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Command injection via unsanitized LLM-controlled ripgrep argument directly enables Unix shell execution (T1059.004); the agent chat interface on a default-exposed deployment enables remote exploitation of the public app (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-32628Same product: Mintplexlabs Anythingllm
CVE-2024-13059Same product: Mintplexlabs Anythingllm
CVE-2024-6842Same product: Mintplexlabs Anythingllm
CVE-2026-5627Same product: Mintplexlabs Anythingllm
CVE-2026-24477Same product: Mintplexlabs Anythingllm
CVE-2026-32617Same product: Mintplexlabs Anythingllm
CVE-2026-24478Same product: Mintplexlabs Anythingllm
CVE-2026-32626Same product: Mintplexlabs Anythingllm
CVE-2024-57590Shared CWE-77
CVE-2025-64090Shared CWE-77

Affected Assets

mintplexlabs
anythingllm
≤ 1.13.0

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References