AnythingLLM Desktop: Streaming XSS to Remote Code Execution

1. Executive Summary

A critical cross-site scripting (XSS) vulnerability in AnythingLLM Desktop versions 1.11.1 and earlier escalates to full remote code execution (RCE) on the host operating system due to insecure Electron configuration (NVD) ¹. The vulnerability resides in the streaming chat rendering pipeline: the custom markdown image renderer in frontend/src/utils/chat/markdown.js fails to escape HTML entities in the token.content field before inserting it into <img> tag alt attributes, and the PromptReply component renders the resulting HTML via dangerouslySetInnerHTML without DOMPurify sanitisation (GHSA-rrmw-2j6x-4mf2) ². Because the Electron application runs with nodeIntegration: true and contextIsolation: false, injected JavaScript gains direct access to Node.js APIs, enabling arbitrary command execution with the full privileges of the AnythingLLM Desktop process (GHSA-rrmw-2j6x-4mf2) ².

Exploitation prerequisites: This vulnerability affects only the Electron Desktop variant of AnythingLLM. The server/Docker deployment does not include Electron and therefore does not expose the XSS-to-RCE escalation path (RAXE assessment). Exploitation requires user interaction; a victim must view a streaming chat response containing the malicious payload (NVD: UI:R) ¹. No authentication is required from the attacker's perspective (NVD: PR:N) ¹.

So What: AnythingLLM is an open-source application for RAG (Retrieval-Augmented Generation) deployments, available in both Desktop (Electron) and server/Docker variants. Organisations running the Desktop variant on employee workstations face a network-reachable, unauthenticated attack path that delivers arbitrary OS command execution when a user views a chat response containing a malicious payload. The delivery vector (poisoned RAG documents, a compromised LLM endpoint, or indirect prompt injection) is realistic in enterprise environments where data sources are aggregated from multiple trust boundaries (RAXE assessment).

Now What: Upgrade to AnythingLLM Desktop version 1.11.2 or later immediately. The patch commit 9e2d144 applies DOMPurify sanitisation to the streaming rendering path (GHSA-rrmw-2j6x-4mf2) ². Organisations unable to patch immediately should migrate to the Docker/server deployment variant and restrict RAG document ingestion to trusted sources (RAXE assessment).

2. Risk Rating

CVSS Scoring Attribution

The NVD entry for CVE-2026-32626 carries vulnStatus "Analyzed" with a CNA-submitted (Secondary) CVSS score of 9.6 from security-advisories@github.com (NVD) ¹. NVD has not published its own Primary score as of this publication date. The GHSA advisory displays a score of 9.7 using the identical vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (GHSA-rrmw-2j6x-4mf2) ²; this discrepancy is a display rounding variance inherent to the CVSS v3.1 specification equation. This publication uses the NVD-published 9.6 figure throughout.

3. Affected Products

CPE: cpe:2.3:a:mintplexlabs:anythingllm:*:*:*:*:*:*:*:* (versions up to and including 1.11.1) (NVD) ¹

Am I Affected?

• Check deployment variant: This vulnerability's RCE impact applies only to the Electron Desktop application. If you run AnythingLLM via Docker or as a hosted server, the XSS-to-RCE escalation path does not apply. The underlying XSS in the markdown renderer may still exist in non-Desktop variants, but without Electron's nodeIntegration it cannot escalate to OS command execution (RAXE assessment).
• Check version: Within the AnythingLLM Desktop application, navigate to Settings to view the installed version. Versions 1.11.1 and earlier are affected. Version 1.11.2 and later contain the patch.
• Check configuration: The insecure Electron configuration (nodeIntegration: true, contextIsolation: false) is the application default, not a user-toggled option. All Desktop installations running affected versions are vulnerable (GHSA-rrmw-2j6x-4mf2) ².

4. Abstract

CVE-2026-32626 is a cross-site scripting vulnerability in the AnythingLLM Desktop streaming chat renderer that chains with insecure Electron configuration to achieve remote code execution (NVD) ¹ (GHSA-rrmw-2j6x-4mf2) ². The vulnerability has two compounding components:

1. Unsanitised markdown image rendering (CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')): The custom markdown-it image renderer in frontend/src/utils/chat/markdown.js (lines 70-77) interpolates token.content directly into the HTML alt attribute of generated <img> tags without HTML entity escaping. Malicious content in the image alt text breaks out of the attribute context to inject arbitrary HTML attributes, including event handlers (GHSA-rrmw-2j6x-4mf2) ².

2. Missing DOMPurify sanitisation in the streaming path: The PromptReply component (responsible for rendering assistant responses during the real-time streaming phase) uses React's unsafe HTML injection to insert the rendered markdown output directly into the DOM without DOMPurify sanitisation. By contrast, the HistoricalMessage component (used for saved, non-streaming messages) correctly applies DOMPurify.sanitize() before DOM injection (GHSA-rrmw-2j6x-4mf2) ².

These two weaknesses combine with the Electron Desktop application's insecure configuration (nodeIntegration: true and contextIsolation: false) which grants renderer-process JavaScript direct access to Node.js built-in modules. The result is a chain from markdown content injection through XSS to arbitrary operating system command execution (GHSA-rrmw-2j6x-4mf2) ².

5. Key Findings

1. Streaming-specific attack surface. The vulnerability manifests only during the streaming rendering phase of chat responses. Saved/historical message display uses DOMPurify and is not vulnerable to this specific attack chain (GHSA-rrmw-2j6x-4mf2) ².

2. Unauthenticated, network-reachable attack path. No authentication is required (CVSS PR:N). The attacker must deliver the payload through a vector that causes the LLM to include it in a streaming response: poisoned RAG documents, compromised LLM endpoints, or indirect prompt injection are plausible delivery mechanisms (NVD) ¹ (GHSA-rrmw-2j6x-4mf2) ².

3. Scope: Changed, XSS to RCE escalation. The Electron nodeIntegration: true and contextIsolation: false configuration grants renderer-process JavaScript direct Node.js API access, enabling the XSS to escalate to arbitrary OS command execution. The attack escapes the browser sandbox to the host operating system (NVD: S:C) ¹ (GHSA-rrmw-2j6x-4mf2) ².

4. Advisory-disclosed proof-of-concept. The GHSA advisory includes a complete PoC payload that demonstrates the attack chain from markdown injection to OS command execution (GHSA-rrmw-2j6x-4mf2) ². This lowers the exploitation barrier.

5. Patch addresses DOM injection, not root cause. The patch (commit 9e2d144) adds DOMPurify sanitisation to the PromptReply component but does not appear to fix the underlying entity escaping gap in the markdown image renderer, nor does it address the insecure Electron configuration (RAXE assessment based on commit diff scope) ⁴. Future XSS vulnerabilities in any component would similarly escalate to RCE while the Electron misconfiguration persists.

6. Low current exploitation probability. EPSS score is 0.16% (36th percentile) as of 2026-03-19 (FIRST.org EPSS) ³, indicating limited current exploitation activity. No confirmed in-the-wild exploitation has been reported at time of publication.

6. Attack Flow

The following attack flow is derived from the advisory-disclosed exploitation chain (GHSA-rrmw-2j6x-4mf2) ²:

ATTACKER                          ANYTHINGLLM DESKTOP                    HOST OS
   |                                     |                                  |
   |  1. Embed malicious markdown        |                                  |
   |     payload in RAG document         |                                  |
   |     or LLM endpoint response        |                                  |
   |------------------------------------>|                                  |
   |                                     |                                  |
   |  2. Victim queries workspace        |                                  |
   |     (normal chat interaction)       |                                  |
   |                                     |                                  |
   |              3. LLM streams response containing payload                |
   |                                     |                                  |
   |              4. markdown.js parses  |                                  |
   |                 image token;        |                                  |
   |                 token.content       |                                  |
   |                 interpolated into   |                                  |
   |                 alt="" WITHOUT      |                                  |
   |                 entity escaping     |                                  |
   |                                     |                                  |
   |              5. PromptReply injects |                                  |
   |                 HTML via            |                                  |
   |                 dangerouslySet-     |                                  |
   |                 InnerHTML WITHOUT   |                                  |
   |                 DOMPurify           |                                  |
   |                                     |                                  |
   |              6. Browser fires       |                                  |
   |                 onerror handler     |                                  |
   |                 on invalid <img>    |                                  |
   |                                     |                                  |
   |              7. onerror JS executes |                                  |
   |                 with Node.js access |                                  |
   |                 (nodeIntegration:   |                                  |
   |                 true, context-      |                                  |
   |                 Isolation: false)   |                                  |
   |                                     |                                  |
   |              8. Node.js child_process module                           |
   |                 invoked from renderer  --------------------------->    |
   |                                     |              ARBITRARY           |
   |                                     |              COMMAND             |
   |                                     |              EXECUTION           |

Kill chain summary (RAXE assessment):

Poisoned Content --> Markdown Parse --> Attribute Breakout XSS
       --> dangerouslySetInnerHTML (no DOMPurify) --> onerror fires
       --> Node.js API access (nodeIntegration) --> OS Command Execution

7. Technical Details

7.1 Vulnerable Component: Markdown Image Renderer

File: frontend/src/utils/chat/markdown.js (lines 70-77 per GHSA) ²

The AnythingLLM frontend uses a custom markdown-it renderer for image tokens. The renderer interpolates token.content directly into the HTML alt attribute of generated <img> tags without HTML entity escaping (GHSA-rrmw-2j6x-4mf2) ². When the token content contains a double-quote character, it breaks out of the alt attribute context, allowing the attacker to inject additional HTML attributes including event handlers.

Advisory-disclosed PoC payload (GHSA-rrmw-2j6x-4mf2) ²:

![" onerror="require('child_process').exec('open -a calculator')](x)

Resulting HTML output (GHSA-rrmw-2j6x-4mf2) ²:

<img src="x" alt="" onerror="require('child_process').exec('open -a calculator')" />

The double-quote in the payload closes the alt attribute, and the remainder is parsed by the browser as an onerror event handler attribute.

7.2 Vulnerable Component: PromptReply Streaming Renderer

File: frontend/src/components/WorkspaceChat/ChatContainer/ChatHistory/PromptReply/index.jsx (line 99 per GHSA) ²

The PromptReply component is responsible for rendering assistant responses in real time during the streaming phase. It uses dangerouslySetInnerHTML to inject the rendered markdown output directly into the DOM without DOMPurify sanitisation (GHSA-rrmw-2j6x-4mf2) ²:

dangerouslySetInnerHTML={{ __html: renderMarkdown(contentRef.current) }}

7.3 Non-Vulnerable Contrast: HistoricalMessage

File: HistoricalMessage component (line 280 per GHSA) ²

The HistoricalMessage component, used for saved/non-streaming messages, correctly applies DOMPurify.sanitize() before DOM injection (GHSA-rrmw-2j6x-4mf2) ². The vulnerability is therefore specific to the real-time streaming code path.

7.4 Escalation Factor: Insecure Electron Configuration

The AnythingLLM Desktop Electron application runs with (GHSA-rrmw-2j6x-4mf2) ²:

• nodeIntegration: true: grants renderer-process JavaScript direct access to Node.js built-in modules
• contextIsolation: false: disables the security boundary between the web page context and the Electron preload script context

This configuration is the application default, not a user-toggled option (GHSA-rrmw-2j6x-4mf2) ². Together, these settings allow any JavaScript executing in the renderer process to invoke Node.js built-in modules and execute arbitrary operating system commands with the full privileges of the AnythingLLM Desktop process.

7.5 Patch Analysis

Commit: 9e2d144dc8be6fab29f560f5bcdaa9ef7dbb4214 ⁴ Change: 4 additions, 1 deletion in PromptReply/index.jsx

The patch wraps the renderMarkdown() output in DOMPurify.sanitize() before DOM injection (commit 9e2d144) ⁴:

// Before (vulnerable):
dangerouslySetInnerHTML={{ __html: renderMarkdown(contentRef.current) }}

// After (patched):
dangerouslySetInnerHTML={{
  __html: DOMPurify.sanitize(renderMarkdown(contentRef.current)),
}}

An import for DOMPurify from the existing project utility is also added (commit 9e2d144) ⁴:

import DOMPurify from "@/utils/chat/purify";

Residual risk (RAXE assessment): The patch addresses the DOM injection point but does not fix the underlying entity escaping gap in the markdown image renderer (markdown.js). The DOMPurify layer provides defence in depth by stripping event handler attributes before the content reaches the DOM. However, the unescaped markdown renderer remains a latent weakness that could be exploited if DOMPurify is bypassed or removed in future refactoring. The insecure Electron configuration (nodeIntegration: true, contextIsolation: false) is also not addressed by this patch, meaning any future XSS vulnerability in any component would similarly escalate to RCE.

8. Confidence and Validation

Assessment Confidence: HIGH (90%)

Validation Limitations

• No independent laboratory reproduction was performed. The conceptual analysis is derived entirely from the GHSA advisory disclosure and patch commit analysis.
• The exact rendering behaviour may differ across AnythingLLM versions or Electron builds.
• Whether the markdown image renderer entity-escaping gap was addressed in a separate commit (beyond 9e2d144) has not been verified.
• Whether the underlying XSS exists in the server/Docker web interface (without the RCE escalation) has not been independently confirmed.

9. Detection Signatures

The following detection rules are Lane 3: Hunting / Heuristic grade. They detect suspicious patterns that may indicate exploitation or exposure but will produce false positives in certain environments. They are experimental and should be tuned to the specific deployment before production use (RAXE assessment).

9.1 Sigma Rule: Suspicious Child Process Spawned by AnythingLLM Desktop (Windows)

This rule detects the post-exploitation indicator: anomalous child processes spawned by the AnythingLLM Electron process. Successful exploitation of CVE-2026-32626 results in the Electron process invoking Node.js APIs to spawn operating system commands (GHSA-rrmw-2j6x-4mf2) ². This is the primary externally observable artefact of initial exploitation; subsequent post-exploitation activity may generate additional network, filesystem, or persistence indicators (RAXE assessment).

title: Suspicious Child Process Spawned by AnythingLLM Desktop (Electron)
id: b4e7c3a1-9f02-4d8e-a6b5-1c3d5e7f9a0b
status: experimental
description: >
  Detects child processes spawned by the AnythingLLM Desktop Electron
  process that are inconsistent with normal application behaviour.
  CVE-2026-32626 (GHSA-rrmw-2j6x-4mf2) allows XSS in the streaming
  chat renderer to escalate to arbitrary OS command execution.
  Classification: Lane 3, Hunting / Heuristic.
author: RAXE Labs
date: 2026/03/20
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-32626
  - https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2
tags:
  - cve.2026.32626
  - attack.execution
  - attack.t1059
  - attack.t1059.004
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent_windows:
    ParentImage|endswith:
      - '\AnythingLLM.exe'
      - '\Electron.exe'
    ParentImage|contains:
      - 'AnythingLLM'
  selection_suspicious_child:
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
      - '\bash.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\mshta.exe'
      - '\certutil.exe'
      - '\bitsadmin.exe'
      - '\curl.exe'
      - '\whoami.exe'
      - '\net.exe'
      - '\net1.exe'
      - '\reg.exe'
      - '\rundll32.exe'
  condition: selection_parent_windows and selection_suspicious_child
falsepositives:
  - AnythingLLM auto-update mechanisms that invoke system utilities
  - Electron runtime spawning helper processes during normal operation
  - Plugin or extension systems within AnythingLLM that execute shell commands
level: high

Detection caveat (RAXE assessment): The condition requires both selection_parent_windows filters to match: ParentImage|endswith (matching \AnythingLLM.exe or \Electron.exe) AND ParentImage|contains: 'AnythingLLM'. This means a generic Electron.exe parent whose path does not include "AnythingLLM" will not trigger the rule. Consequently, renamed or relocated AnythingLLM installations where the install directory no longer contains "AnythingLLM" in the path will evade this detection. Organisations with non-standard installation paths should adjust the ParentImage|contains filter accordingly.

9.2 Sigma Rule: Suspicious Child Process Spawned by AnythingLLM Desktop (macOS)

The advisory-disclosed PoC specifically demonstrates macOS exploitation using the open command (GHSA-rrmw-2j6x-4mf2) ².

title: Suspicious Child Process Spawned by AnythingLLM Desktop (macOS)
id: c5f8d4b2-a013-5e9f-b7c6-2d4e6f8a0b1c
status: experimental
description: >
  macOS variant. Detects child processes spawned by the AnythingLLM
  Desktop Electron process on macOS. Classification: Lane 3 --
  Hunting / Heuristic. Note: this rule uses logsource.product: macos
  and does not cover Linux deployments.
author: RAXE Labs
date: 2026/03/20
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-32626
  - https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2
tags:
  - cve.2026.32626
  - attack.execution
  - attack.t1059
  - attack.t1059.004
logsource:
  category: process_creation
  product: macos
detection:
  selection_parent_macos:
    ParentImage|endswith:
      - '/AnythingLLM'
      - '/Electron'
      - '/anythingllm'
      - '/electron'
    ParentCommandLine|contains:
      - 'AnythingLLM'
      - 'anythingllm'
  selection_suspicious_child_unix:
    Image|endswith:
      - '/sh'
      - '/bash'
      - '/zsh'
      - '/dash'
      - '/python3'
      - '/python'
      - '/perl'
      - '/ruby'
      - '/curl'
      - '/wget'
      - '/nc'
      - '/ncat'
      - '/open'
      - '/osascript'
      - '/xdg-open'
  condition: selection_parent_macos and selection_suspicious_child_unix
falsepositives:
  - AnythingLLM auto-update mechanisms on macOS
  - Electron runtime spawning GPU or utility helper processes
  - The macOS 'open' command is common in legitimate Electron usage
level: high

9.3 Sigma Rule: Malicious Markdown Image Payload in Content

This rule requires non-standard log sources: custom log forwarding from the application database, RAG document ingestion logs, or network-level LLM API response inspection. AnythingLLM Desktop does not produce standard application logs containing chat message content (RAXE assessment).

title: Malicious Markdown Image Payload in AnythingLLM Chat Content
id: d6a9e5c3-b124-6fa0-c8d7-3e5f7a9b1c2d
status: experimental
description: >
  Detects markdown image syntax containing HTML event handler injection
  patterns in content associated with AnythingLLM chat sessions or RAG
  document ingestion. Classification: Lane 3, Hunting / Heuristic.
  Requires non-standard log sources.
author: RAXE Labs
date: 2026/03/20
references:
  - https://nvd.nist.gov/vuln/detail/CVE-2026-32626
  - https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-rrmw-2j6x-4mf2
tags:
  - cve.2026.32626
  - attack.initial_access
  - attack.t1190
logsource:
  category: application
  product: anythingllm
detection:
  selection_onerror_require:
    message_content|contains:
      - 'onerror="require'
      - "onerror='require"
      - 'onerror=require'
  selection_markdown_event_handlers:
    message_content|contains:
      - '" onerror="'
      - "' onerror='"
      - '" onload="'
      - "' onload='"
      - '" onfocus="'
      - "' onfocus='"
      - '" onmouseover="'
  selection_node_api_in_content:
    message_content|contains:
      - "require('child_process')"
      - 'require("child_process")'
      - 'process.mainModule'
      - 'require("fs")'
      - "require('fs')"
      - 'require("os")'
      - "require('os')"
  condition: >
    selection_onerror_require or
    (selection_markdown_event_handlers and selection_node_api_in_content)
falsepositives:
  - Security training materials containing XSS payload examples
  - Code review discussions referencing the CVE-2026-32626 PoC payload
  - Legitimate markdown content quoting HTML event handler syntax in code blocks
level: critical

9.4 YARA Rules: Vulnerable Installation Detection and Payload Content Scan

Two YARA rules are provided for file-based detection (RAXE assessment):

• Rule 1 (RAXE_2026_038_Vulnerable_AnythingLLM_Streaming_Renderer): Identifies vulnerable AnythingLLM Desktop installations by matching the pre-patch code pattern, specifically dangerouslySetInnerHTML with renderMarkdown() in the PromptReply component without DOMPurify wrapping. Must be run against extracted Electron application contents (asar archive or resources/app/ directory), not the binary executable.

• Rule 2 (RAXE_2026_038_AnythingLLM_XSS_Payload_In_Content): Identifies the advisory-disclosed exploit payload pattern in files that could be ingested into RAG pipelines or stored in chat databases: markdown image syntax with attribute breakout injecting event handlers that invoke Node.js APIs.

The full YARA rule source is maintained in the finding detection artefacts. Both rules are Lane 3: Hunting / Heuristic grade and should be tuned before production deployment (RAXE assessment).

Detection Coverage Gaps

Neither Sigma nor YARA rules detect the XSS injection at the application layer within the Electron renderer process. The vulnerability fires entirely within the browser context before any externally observable artefact is created. Only the post-exploitation process spawning (Sigma Rules 1/2) or pre-delivery content inspection (Sigma Rule 3, YARA Rule 2) are detectable with conventional security tooling (RAXE assessment).

10. Detection and Mitigation

10.1 Immediate Actions

Priority 1: Patch. - Upgrade all AnythingLLM Desktop installations to version 1.11.2 or later. The patch applies DOMPurify sanitisation to the streaming rendering path, blocking the XSS injection (GHSA-rrmw-2j6x-4mf2) ².

Priority 2: Deployment Variant Assessment. - Organisations running the Desktop variant should evaluate migration to the Docker or server deployment. The server variant does not include Electron and therefore does not expose the XSS-to-RCE escalation path (RAXE assessment).

10.2 Interim Mitigations (If Patching Is Delayed)

• Restrict RAG document sources to trusted, vetted origins until patching is complete. The primary attack vector is poisoned content delivered through the RAG ingestion pipeline (RAXE assessment).
• Monitor Electron child processes using endpoint detection and response (EDR) tooling. Deploy Sigma Rule 1 (Section 9.1/9.2) to detect anomalous process spawning from the AnythingLLM Electron process (RAXE assessment).
• Network-level content inspection of LLM API responses may detect payload delivery before it reaches the client. Deploy Sigma Rule 3 (Section 9.3) if log forwarding infrastructure is available (RAXE assessment).

10.3 Ongoing Monitoring

• Monitor for NVD Primary CVSS score publication, which may adjust the current CNA-submitted 9.6 score (NVD) ¹.
• Monitor EPSS score trajectory; an increase from the current 0.16% would indicate growing exploitation interest (FIRST.org EPSS) ³.
• Review the Electron configuration in future AnythingLLM Desktop releases for hardening of the nodeIntegration and contextIsolation settings (RAXE assessment).

11. Indicators of Compromise

The following are behavioural indicators derived from the advisory-disclosed exploitation chain (GHSA-rrmw-2j6x-4mf2) ². No confirmed in-the-wild IOCs (hashes, IPs, domains) exist for this vulnerability at time of publication. These indicators are Lane 3: Hunting grade and will produce false positives in some environments (RAXE assessment).

12. Strategic Context

12.1 LLM Platform Security

This vulnerability exemplifies a class of security risks emerging in LLM-powered applications where the rendering layer, designed for dynamic, real-time content display, introduces injection surfaces that traditional web application security patterns do not fully address (RAXE assessment). The distinction between streaming and historical message rendering paths, and the inconsistent application of sanitisation between the two, represents a pattern likely replicated across other LLM chat interfaces.

12.2 Electron-Based AI Application Risk

The AnythingLLM Desktop configuration (nodeIntegration: true, contextIsolation: false) represents a well-documented Electron security anti-pattern that converts any XSS vulnerability into a full RCE. The Electron security documentation explicitly warns against this configuration. Its presence in a security-sensitive AI application underscores the gap between AI/ML development velocity and secure application engineering practices (RAXE assessment). Defenders should audit all Electron-based AI desktop applications in their environment for similar misconfigurations.

12.3 RAG Pipeline as Attack Surface

The viable delivery vectors for this vulnerability (poisoned RAG documents and compromised LLM endpoints) highlight the RAG ingestion pipeline as a trust boundary that many organisations do not adequately monitor or constrain. Content entering a RAG pipeline may traverse multiple trust boundaries before being rendered to an end user, and the rendering layer may not be designed to handle adversarial input. This aligns with emerging threat patterns around indirect prompt injection and data poisoning in AI systems (RAXE assessment).

12.4 Streaming vs Rendered Output Security

The fact that the vulnerability exists only in the streaming path (not in saved message display) introduces a subtlety: security testing that focuses on the final rendered state of chat messages would miss this vulnerability entirely, because the DOMPurify sanitisation in HistoricalMessage would mask the underlying injection. This suggests that security assessments of LLM chat interfaces should specifically test the streaming/incremental rendering path as a distinct attack surface (RAXE assessment).

13. References

1. CVE-2026-32626, NVD · CVSS v3.1: 9.6 (CNA-submitted Secondary) · vulnStatus: Analyzed · Published 2026-03-16
2. GHSA-rrmw-2j6x-4mf2: AnythingLLM Desktop Streaming XSS to RCE · CVSS v3.1: 9.7 · Reporters: P3ngu1nW, jackfromeast, chenjj
3. EPSS: CVE-2026-32626 · Score: 0.16% (36th percentile), 2026-03-19
4. Patch commit 9e2d144 · Mintplex-Labs/anything-llm