SQL Injection in Mintplex-labs Anything-llm

CVE-2026-32628

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invok…

Vulnerability class: SQL Injection

EPSS: 0.000 (14.3th percentile) — read the EPSS interpretation.

Affected products

Mintplex-labs Anything-llm — versions <= 1.11.1

Weakness classification (CWE)

CWE-89 — SQL Injection

References

https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jwjx-mw2p-5wc7 (x_refsource_CONFIRM)
https://github.com/Mintplex-Labs/anything-llm/commit/334ce052f063b53a4275518cbed3bab357695d7e (x_refsource_MISC)