CVE-2026-41318

// PoC Concept for CVE-2026-41318 // The vulnerability exists in the 'Chartable' component where chart captions are rendered without sanitization. // Attackers can use prompt injection to force the LLM to output a markdown image with a malicious alt text. // 1. Prompt Injection Example (sent to LLM): // "Create a chart about sales. Use the following as the caption: " // 2. Malicious Payload stored in Chart Caption: // The LLM outputs a chart with the caption containing the markdown image. // 3. Stored XSS Trigger: // When a victim loads the chat history, the Chartable component renders the caption. // Since DOMPurify is missing, the browser executes the script. // Example Payload Structure: const payload = ``; // If the application allows raw HTML injection via the alt text interpolation: // <img alt="<img src=\"x\" onerror=\"alert(1)\">" src="..."> // In the vulnerable component, this might be rendered directly leading to XSS.

{"cve": {"id": "CVE-2026-41318", "sourceIdentifier": "[email protected]", "published": "2026-04-24T04:16:20.193", "lastModified": "2026-04-27T14:53:37.437", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.12.1, AnythingLLM's in-chat markdown renderer has an unsafe custom rule for images that interpolates the markdown image's `alt` text into an HTML `alt=\"...\"` attribute without any HTML encoding. Every call-site in the app wraps `renderMarkdown(...)` with `DOMPurify.sanitize(...)` as defense-in-depth — except the `Chartable` component, which renders chart captions with no sanitization. The chart caption is the natural-language text the LLM emits around a `create-chart` tool call, so any attacker who can influence the LLM's output — most cheaply via indirect prompt injection in a shared workspace document, or directly if they can create a chart record in a multi-user workspace — can trigger stored DOM-level XSS in every other user's browser when they open that conversation. AnythingLLM chat history is loaded server-side via `GET /api/workspace/:slug/chats` and rendered directly into the chat UI. Version 1.12.1 contains a patch for this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-116"}, {"lang": "en", "value": "CWE-1336"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.12.1", "matchCriteriaId": "94CAE6B1-A382-49BB-8EC4-A1AD6F2DF101"}]}]}], "references": [{"url": "https://github.com/Mintplex-Labs/anything-llm/commit/f5fa03f4728e483949f6360093bc3ea1ef555535", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-4q6m-qh3w-9gf5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}