{"id":"CVE-2024-4286","details":"Mintplex-Labs' anything-llm application is vulnerable to improper neutralization of special elements used in an expression language statement, identified in the commit id `57984fa85c31988b2eff429adfc654c46e0c342a`. The vulnerability arises from the application's handling of user modifications by managers or admins, allowing for the modification of all existing attributes of the `user` database entity without proper checks or sanitization. This flaw can be exploited to delete user threads, denying users access to their previously submitted data, or to inject fake threads and/or chat history for social engineering attacks.","modified":"2026-03-14T12:36:09.510051Z","published":"2024-05-26T23:15:21.600Z","references":[{"type":"WEB","url":"https://huntr.com/bounties/a72d2923-297c-455f-af90-715e83b3da2b"},{"type":"FIX","url":"https://github.com/mintplex-labs/anything-llm/commit/1b35bcbeab10b77e6dbd263cceecf1b965a40789"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/mintplex-labs/anything-llm","events":[{"introduced":"0"},{"fixed":"1b35bcbeab10b77e6dbd263cceecf1b965a40789"}]},{"type":"GIT","repo":"https://github.com/mintplex-labs/anything-llm","events":[{"introduced":"0"},{"fixed":"1b35bcbeab10b77e6dbd263cceecf1b965a40789"}]}],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-4286.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N"}]}