cbcvebase.
CVE-2024-10513
published 2025-03-20

CVE-2024-10513: A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2…

PriorityP348high7.2CVSS 3.0
AVNACLPRHUINSUCHIHAH
EPSS
0.83%
52.8th percentile
A path traversal vulnerability exists in the 'document uploads manager' feature of mintplex-labs/anything-llm, affecting the latest version prior to 1.2.2. This vulnerability allows users with the 'manager' role to access and manipulate the 'anythingllm.db' database file. By exploiting the vulnerable endpoint '/api/document/move-files', an attacker can move the database file to a publicly accessible directory, download it, and subsequently delete it. This can lead to unauthorized access to sensitive data, privilege escalation, and potential data loss.

Affected

2 ranges
VendorProductVersion rangeFixed in
mintplex-labsmintplex-labs_anything-llm>= unspecified < 1.2.21.2.2
mintplexlabsanythingllm< 1.2.21.2.2
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.