Logo
Retour à la veille

CVE-2026-55611

Publié : 24 juin 2026
Modifié : 24 juin 2026
Lien officiel NVD
Score CVSS
0
NONE

Description détaillée

AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. From 1.11.1 until 1.14.1, userId/workspaceId scoping to the parsed-files read/delete paths was added. However, the POST /api/workspace/:slug/embed-parsed-file/:fileId flow still deletes the target file by primary key only, with no ownership check, inside two finally{} blocks that run even when the ownership-checked read fails. As a result a manager or admin (multi-user mode) can delete any other user's parsed file in any workspace — including workspaces they are not a member of — by enumerating integer fileIds. The server even returns "File not found" while still deleting the file. This vulnerability is fixed in 1.14.1.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:N

Références et Patchs

https://github.com/Mintplex-Labs/anything-llm/commit/34a42a33eaafe78b1e4020995ce8e9fd34d26c65https://github.com/Mintplex-Labs/anything-llm/commit/683fe3dfdc74b6d94c445a25bb0f2f218665a4c6https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-r872-gr59-vf5whttps://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-r872-gr59-vf5w

Dernières Vulnérabilités

CVE-2026-53950

@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.

VOIR DÉTAILS

CVE-2026-53949

Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.

VOIR DÉTAILS

CVE-2026-53948

Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.

VOIR DÉTAILS