Vulnerability Details CVE-2026-48116
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to 1.13.0, the filesystem-search-files agent skill passes its LLM-controlled pattern parameter to ripgrep as a positional argument without a -- end-of-options separator. ripgrep parses any argument that starts with - as an option, so a pattern of --pre=/bin/sh turns ripgrep into a script executor: it runs /bin/sh <file> for every file it walks. An attacker who can chat with an agent on a deployment with the filesystem plugin enabled (the default in the official Docker image) can use this, together with the sibling filesystem-write-text-file skill, to run arbitrary commands inside the AnythingLLM server container. This vulnerability is fixed in 1.13.0.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 18.3%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-48116
-
cpe:2.3:a:mintplexlabs:anythingllm:-
-
cpe:2.3:a:mintplexlabs:anythingllm:0.0.1
-
cpe:2.3:a:mintplexlabs:anythingllm:0.1.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.0.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.1.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.1.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.10.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.11.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.11.2
-
cpe:2.3:a:mintplexlabs:anythingllm:1.12.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.12.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.2.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.2.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.2.2
-
cpe:2.3:a:mintplexlabs:anythingllm:1.2.3
-
cpe:2.3:a:mintplexlabs:anythingllm:1.2.4
-
cpe:2.3:a:mintplexlabs:anythingllm:1.3.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.3.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.4.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.5.3
-
cpe:2.3:a:mintplexlabs:anythingllm:1.5.4
-
cpe:2.3:a:mintplexlabs:anythingllm:1.5.5
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.10
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.11
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.2
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.3
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.4
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.5
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.6
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.7
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.8
-
cpe:2.3:a:mintplexlabs:anythingllm:1.6.9
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.2
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.3
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.4
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.5
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.6
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.7
-
cpe:2.3:a:mintplexlabs:anythingllm:1.7.8
-
cpe:2.3:a:mintplexlabs:anythingllm:1.8.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.8.1
-
cpe:2.3:a:mintplexlabs:anythingllm:1.8.2
-
cpe:2.3:a:mintplexlabs:anythingllm:1.8.3
-
cpe:2.3:a:mintplexlabs:anythingllm:1.8.4
-
cpe:2.3:a:mintplexlabs:anythingllm:1.8.5
-
cpe:2.3:a:mintplexlabs:anythingllm:1.9.0
-
cpe:2.3:a:mintplexlabs:anythingllm:1.9.1