CVE-2026-32722

{"id": "CVE-2026-32722", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "published": "2026-03-18T22:16:24.670", "references": [{"url": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bloomberg/memray/releases/tag/v1.19.2", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue."}, {"lang": "es", "value": "Memray es un perfilador de memoria para Python. Antes de Memray 1.19.2, Memray renderizaba la l\u00ednea de comandos del proceso rastreado directamente en los informes HTML generados sin escapar. Debido a que no hab\u00eda escape, los argumentos de l\u00ednea de comandos controlados por el atacante se insertaban como HTML sin procesar en el informe generado. Esto permit\u00eda la ejecuci\u00f3n de JavaScript cuando una v\u00edctima abr\u00eda el informe generado en un navegador. La versi\u00f3n 1.19.2 corrige el problema."}], "lastModified": "2026-03-19T19:21:28.677", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:*", "vulnerable": true, "matchCriteriaId": "09B42289-015F-4BFB-9F71-1299C86C535D", "versionEndExcluding": "1.19.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}