CVE-2026-48116
Severity CVSS v4.0:
Pending analysis
Type:
CWE-77
Command Injection
Publication date:
28/05/2026
Last modified:
30/05/2026
Description
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:* | 1.13.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page



