CVE-2026-41318 Overview
CVE-2026-41318 is a stored Cross-Site Scripting (XSS) vulnerability in AnythingLLM, an application that transforms content into context for LLM-based chat interactions. The vulnerability exists in the Chartable component's markdown rendering functionality, where chart captions containing LLM-generated output are rendered without proper HTML sanitization. This allows attackers to inject malicious scripts via indirect prompt injection in shared workspace documents, affecting all users who subsequently access the compromised conversation.
Critical Impact
Attackers can execute arbitrary JavaScript in victim browsers through stored XSS, potentially stealing session tokens, performing actions on behalf of users, or exfiltrating sensitive workspace data in multi-user AnythingLLM deployments.
Affected Products
- Mintplexlabs AnythingLLM versions prior to 1.12.1
- AnythingLLM multi-user workspace deployments
- AnythingLLM instances with chart generation functionality enabled
Discovery Timeline
- 2026-04-24 - CVE CVE-2026-41318 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-41318
Vulnerability Analysis
The vulnerability stems from inconsistent sanitization practices across AnythingLLM's markdown rendering pipeline. While most call-sites wrap renderMarkdown(...) with DOMPurify.sanitize(...) as a defense-in-depth measure, the Chartable component renders chart captions without this crucial sanitization step.
The chart caption contains natural-language text that the LLM emits around create-chart tool calls. Since this output is influenced by user-provided input and document content, an attacker can craft malicious payloads that, when processed by the LLM, result in XSS payloads being stored and executed in other users' browsers.
The attack surface is particularly dangerous because chat history is loaded server-side via GET /api/workspace/:slug/chats and rendered directly into the chat UI, creating a persistent stored XSS condition.
Root Cause
The root cause is the missing DOMPurify.sanitize() wrapper around markdown-rendered content in the Chartable component. Additionally, the custom image rule in the markdown renderer interpolates the alt text attribute without proper HTML encoding, creating an injection point when combined with the unsanitized chart caption rendering.
Attack Vector
The vulnerability is exploitable via network-based attacks requiring low privileges and user interaction. Attackers can trigger this vulnerability through two primary vectors:
- Indirect Prompt Injection: Injecting malicious content into shared workspace documents that influences the LLM's chart caption output
- Direct Chart Record Manipulation: Creating chart records with malicious captions in multi-user workspaces
When victims open the compromised conversation, the stored XSS payload executes in their browser context.
// Security patch in markdown.js - Adding HTML encoding to link renderer
markdown.renderer.rules.link_open = (tokens, idx) => {
const token = tokens[idx];
const href = token.attrs.find((attr) => attr[0] === "href");
return `<a href="${HTMLEncode(href[1])}" target="_blank" rel="noopener noreferrer">`;
};
Source: GitHub Commit Changes
The patch introduces proper HTML encoding via HTMLEncode() for URL attributes and adds the missing DOMPurify import to the Chartable component:
import Tooltip from "./CustomTooltip.jsx";
import { safeJsonParse } from "@/utils/request.js";
import renderMarkdown from "@/utils/chat/markdown.js";
+import DOMPurify from "dompurify";
import { memo, useCallback, useState } from "react";
import { saveAs } from "file-saver";
import { useGenerateImage } from "recharts-to-png";
Source: GitHub Commit Changes
Detection Methods for CVE-2026-41318
Indicators of Compromise
- Unusual JavaScript execution patterns in chat interfaces or browser developer console errors
- Chart captions containing HTML tags, script elements, or event handlers (e.g., onerror, onload)
- Workspace documents with embedded prompt injection payloads designed to manipulate LLM output
- Unexpected network requests originating from the AnythingLLM chat interface to external domains
Detection Strategies
- Implement Content Security Policy (CSP) headers to detect and block inline script execution attempts
- Monitor server logs for GET /api/workspace/:slug/chats requests followed by anomalous client-side behavior
- Deploy browser-based XSS detection tools to identify DOM manipulation attempts in the chat UI
- Audit chart records in the database for suspicious HTML content or script tags in caption fields
Monitoring Recommendations
- Enable detailed logging for workspace document uploads and chat history retrieval endpoints
- Set up alerts for JavaScript errors or CSP violations in client monitoring tools
- Monitor for unusual patterns in LLM responses that may indicate prompt injection attempts
- Review user-generated content in shared workspaces for potential injection payloads
How to Mitigate CVE-2026-41318
Immediate Actions Required
- Upgrade AnythingLLM to version 1.12.1 or later immediately
- Audit existing chat histories and chart records for potential stored XSS payloads
- Implement Content Security Policy headers as an additional defense layer
- Review and sanitize workspace documents in shared environments for prompt injection content
Patch Information
The vulnerability is addressed in AnythingLLM version 1.12.1. The patch adds the DOMPurify import to the Chartable component and implements proper HTML encoding for attributes in the markdown renderer. Apply the update by pulling the latest release from the official repository. For detailed changes, review the GitHub Commit and the GitHub Security Advisory.
Workarounds
- Temporarily disable the chart generation feature in AnythingLLM until the patch can be applied
- Restrict workspace sharing and limit multi-user access to trusted users only
- Implement a reverse proxy or Web Application Firewall (WAF) to filter XSS payloads in API responses
- Review and sanitize all user-uploaded documents before allowing them into shared workspaces
# Update AnythingLLM to patched version
cd /path/to/anything-llm
git fetch origin
git checkout v1.12.1
npm install
npm run build
# Restart the AnythingLLM service
pm2 restart anythingllm # or your preferred process manager
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
