CVE-2026-41318

Summary

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's alt text into an HTML alt="..." attribute without any HTML encoding. Every call-site in the app wraps renderMarkdown(...) with DOMPurify.sanitize(...) as defense-in-depth — except the Chartable component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a create-chart tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via GET /api/workspace/:slug/chats and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue.

Affected Software

VendorProductVersion RangeStatus
Mintplex-Labsanything-llm< 1.12.1affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-116: CWE-116: Improper Encoding or Escaping of Output
  • CWE-1336: CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

Additional References

References