AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-j9rx-rppg-6hh4: Anyquery has Path Traversal through `clear_plugin_cache`, Allowing Arbitrary Directory Deletion

highvulnerability

security

Source: GitHub Advisory DatabaseJune 10, 2026CVE-2026-47253

Summary

Anyquery versions up to 0.4.4 contain a path traversal vulnerability in the `clear_plugin_cache` function, which accepts user input and passes it directly to file deletion commands without proper validation. An attacker with API access can use sequences like `../../../../tmp/target` to escape the intended cache directory and delete arbitrary directories on the server.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

June 10, 2026

Classification

Attack SophisticationTrivial

Affected Packages

github.com/julien040/anyquery@<= 0.4.4 (fixed: 0.4.5)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-j9rx-rppg-6hh4

First tracked: June 10, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 95%