Loading
Generated remediation guidance and an executive summary. No account required.
A stored Cross-Site Scripting (XSS) vulnerability exists in the chat functionality of the mintplex-labs/anything-llm repository, allowing attackers to execute arbitrary JavaScript in the context of a user's session. By manipulating the ChatBot responses, an attacker can inject malicious scripts to perform actions on behalf of the user, such as creating a new admin account or changing the user's password, leading to a complete takeover of the AnythingLLM application. The vulnerability stems from the improper sanitization of user and ChatBot input, specifically through the use of `dangerouslySetInnerHTML`. Successful exploitation requires convincing an admin to add a malicious LocalAI ChatBot to their AnythingLLM instance.
Cite this page
CVE-2024-3570. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2024-3570
Use CWE-79, Mintplexlabs vendor hub and Anythingllm product page to widen CVE-2024-3570 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-32626, CVE-2026-24477 and CVE-2026-32628 for nearby disclosures in the same product family.