Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
Published: 2026-04-24
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored DOM XSS
Action: Apply Patch
AI Analysis

Impact

AnythingLLM contains a stored DOM‑level cross‑site scripting flaw in its chart caption renderer. The application renders LLM‑generated captions via an unsafe custom markdown rule that inserts the image alt text directly into an HTML attribute without encoding. Although most rendering paths are protected by DOMPurify, the Chartable component bypasses this safeguard, allowing attacker‑controlled content to be stored and later executed in any user’s browser. The flaw can lead to arbitrary JavaScript execution, enabling attackers to steal session data, deface the interface, or perform further malicious actions within the victim’s environment.

Affected Systems

The issue affects all Mintplex‑Labs AnythingLLM installations running any version prior to 1.12.1. The vulnerability resides in the Chartable component responsible for displaying chart captions that are generated by the LLM during chat sessions.

Risk and Exploitability

The CMS approach yields a CVSS score of 5.4, classifying the vulnerability as moderate severity. The EPSS score of less than 1% indicates a low but non‑zero likelihood that this flaw will be actively exploited in the wild, and the vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an attacker to influence the LLM’s output—most cheaply via prompt injection in a shared document or by creating a chart record in a multi‑user workspace—so while the attack vector is relatively low effort, it also requires some level of collaboration or co‑editorship access to the workspace. Overall, the risk is moderate but defensible, especially for environments with shared workspaces or permissive LLM prompts.

Generated by OpenCVE AI on April 28, 2026 at 14:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade AnythingLLM to version 1.12.1 or later to install the patch that sanitizes chart captions.
  • Modify the Chartable component to apply DOMPurify.sanitize to renderMarkdown(content.caption) before inserting it into the DOM.
  • Restrict or monitor permissions so that only trusted users can create chart records, and audit caption content for malicious scripts before rendering.
  • Add or enforce a Content Security Policy that blocks inline scripts and limits script sources to known safe domains, reducing the impact of any XSS that may still occur.

Generated by OpenCVE AI on April 28, 2026 at 14:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs anything-llm
Vendors & Products Mintplexlabs anything-llm

Mon, 27 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mintplexlabs
Mintplexlabs anythingllm
CPEs cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*
Vendors & Products Mintplexlabs
Mintplexlabs anythingllm

Fri, 24 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt="..."` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.
Title AnythingLLM vulnerable to stored DOM XSS in chart caption renderer - LLM-driven prompt injection produces executable HTML via unsanitized renderMarkdown(content.caption) in Chartable component
Weaknesses CWE-116
CWE-1336
CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N'}

Subscriptions

Mintplexlabs Anything-llm Anythingllm
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-24T18:17:42.185Z

Reserved: 2026-04-20T14:01:46.671Z

Link: CVE-2026-41318

cve-icon Vulnrichment

Updated: 2026-04-24T17:24:57.200Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T04:16:20.193

Modified: 2026-04-27T14:53:37.437

Link: CVE-2026-41318

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses