CVE-2026-32626 is a critical security vulnerability classified as CWE-79 (Improper Neutralization of Input During Web Page Generation, i.e., Cross-site Scripting) affecting Mintplex-Labs' AnythingLLM Desktop application versions 1.11.1 and earlier. The vulnerability exists in the chat rendering pipeline, specifically within the custom markdown-it image renderer located in frontend/src/utils/chat/markdown.js. This renderer interpolates user-controlled token.content directly into the alt attribute of image tags without applying HTML entity escaping, allowing malicious input to be injected. The PromptReply React component then renders this content using dangerouslySetInnerHTML without applying DOMPurify sanitization, unlike the HistoricalMessage component which correctly sanitizes output. This flaw enables an attacker to inject arbitrary JavaScript code that executes in the context of the Electron-based desktop application. Due to insecure Electron configuration, this XSS vulnerability escalates to remote code execution on the host operating system. Exploitation requires no privileges and no user interaction beyond normal chat usage, making it highly accessible. The vulnerability has a CVSS 3.1 base score of 9.7 (critical), reflecting its high impact on confidentiality, integrity, and availability. Although no known exploits have been reported in the wild, the severity and ease of exploitation make it a significant threat to users of AnythingLLM Desktop. The lack of patch links suggests that a fix may not yet be publicly available, underscoring the urgency for mitigation or vendor updates.

The impact of CVE-2026-32626 is severe for organizations using AnythingLLM Desktop. Successful exploitation allows attackers to execute arbitrary code on the host operating system, potentially leading to full system compromise. This can result in data theft, unauthorized access to sensitive information, installation of persistent malware, lateral movement within networks, and disruption of business operations. Since the vulnerability requires no special privileges or user interaction beyond normal chat usage, it can be exploited remotely by sending crafted chat messages. The Electron framework's insecure configuration exacerbates the risk by enabling escalation from XSS to remote code execution. Organizations relying on AnythingLLM for AI-assisted workflows or content processing may face significant operational and reputational damage if exploited. Additionally, the vulnerability could be leveraged as an initial access vector in broader cyberattacks, especially in environments where AnythingLLM is integrated with other critical systems.

To mitigate CVE-2026-32626, organizations should immediately upgrade AnythingLLM Desktop to a version patched by Mintplex-Labs once available. Until a patch is released, users should consider disabling or restricting the chat feature that processes untrusted content. Implementing strict input validation and output encoding in the markdown-it image renderer is critical; specifically, HTML entity escaping must be applied to all user-controlled content inserted into HTML attributes. The PromptReply component should be refactored to apply DOMPurify sanitization consistently, matching the approach used in HistoricalMessage. Electron application security best practices must be enforced, including enabling context isolation, disabling nodeIntegration where possible, and applying Content Security Policy (CSP) headers to limit script execution. Monitoring chat inputs for suspicious payloads and employing runtime application self-protection (RASP) can provide additional defense layers. Organizations should also conduct thorough code audits of Electron apps and educate developers on secure rendering practices to prevent similar vulnerabilities.