Loading
Generated remediation guidance and an executive summary. No account required.
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. In 1.11.1 and earlier, a SQL injection vulnerability in the built-in SQL Agent plugin allows any user who can invoke the agent to execute arbitrary SQL commands on connected databases. The getTableSchemaSql() method in all three database connectors (MySQL, PostgreSQL, MSSQL) constructs SQL queries using direct string concatenation of the table_name parameter without sanitization or parameterization.
Cite this page
CVE-2026-32628. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2026-32628
Use CWE-89, Mintplexlabs vendor hub and Anythingllm product page to widen CVE-2026-32628 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2026-32626, CVE-2026-24477 and CVE-2026-5627 for nearby disclosures in the same product family.