Vulnerabilities > Mintplexlabs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-03-20 | CVE-2024-13060 | Unspecified vulnerability in Mintplexlabs Anythingllm Docker A vulnerability in AnythingLLM Docker version 1.3.1 allows users with 'Default' permission to access other users' profile pictures by changing the 'id' parameter in the user cookie. | 4.3 |
| 2024-10-29 | CVE-2024-7783 | Cleartext Storage of Sensitive Information vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 mintplex-labs/anything-llm version latest contains a vulnerability where sensitive information, specifically a password, is improperly stored within a JWT (JSON Web Token) used as a bearer token in single user mode. | 7.5 |
| 2024-06-20 | CVE-2024-5213 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0/1.5.3 In mintplex-labs/anything-llm versions up to and including 1.5.3, an issue was discovered where the password hash of a user is returned in the response after login (`POST /api/request-token`) and after account creations (`POST /api/admin/users/new`). | 6.5 |
| 2024-06-06 | CVE-2024-3149 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A Server-Side Request Forgery (SSRF) vulnerability exists in the upload link feature of mintplex-labs/anything-llm. | 8.8 |
| 2024-06-06 | CVE-2024-3150 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 In mintplex-labs/anything-llm, a vulnerability exists in the thread update process that allows users with Default or Manager roles to escalate their privileges to Administrator. | 8.8 |
| 2024-06-06 | CVE-2024-3153 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 mintplex-labs/anything-llm is affected by an uncontrolled resource consumption vulnerability in its upload file endpoint, leading to a denial of service (DOS) condition. | 6.5 |
| 2024-06-06 | CVE-2024-3166 | Unspecified vulnerability in Mintplexlabs Anythingllm Desktop and Anythingllm Webapp A Cross-Site Scripting (XSS) vulnerability exists in mintplex-labs/anything-llm, affecting both the desktop application version 1.2.0 and the latest version of the web application. | 9.6 |
| 2024-06-06 | CVE-2024-3102 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A JSON Injection vulnerability exists in the `mintplex-labs/anything-llm` application, specifically within the username parameter during the login process at the `/api/request-token` endpoint. | 5.3 |
| 2024-06-06 | CVE-2024-3110 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 A stored Cross-Site Scripting (XSS) vulnerability exists in the mintplex-labs/anything-llm application, affecting versions up to and including the latest before 1.0.0. | 8.7 |
| 2024-06-06 | CVE-2024-3033 | Unspecified vulnerability in Mintplexlabs Anythingllm 0.0.1/0.1.0 An improper authorization vulnerability exists in the mintplex-labs/anything-llm application, specifically within the '/api/v/' endpoint and its sub-routes. | 9.4 |