AnythingLLM Desktop 1.11.1 and earlier contains a Streaming Phase cross‑site scripting flaw in the chat rendering pipeline that can be escalated to remote code execution on the host OS. The flaw arises from the custom markdown-it image renderer that inserts unescaped token.content into the alt attribute, while the rendered output is injected into the DOM via dangerouslySetInnerHTML without DOMPurify sanitization. This allows an attacker who can influence the LLM response to inject malicious JavaScript that runs with the desktop application's privileges, potentially compromising system integrity and confidentiality.

Affected systems are desktop installations of AnythingLLM provided by Mintplex-Labs, specifically version 1.11.1 and all earlier releases. The vulnerability originates from the default Electron configuration, which remains unchanged until an upgrade. Users running these versions are at risk if they engage in normal chat usage with any LLM that can supply injected content, and the flaw exists without additional user interaction.

Risk assessment: The CVSS base score of 9.7 classifies this as critical, while the EPSS score of less than 1% indicates low current exploit prevalence. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only normal chat interaction with the vulnerable version; once malicious content is rendered, the JavaScript runs with full desktop process privileges, potentially giving an attacker full control over the host system.