CVE-2026-32890

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.

CVSS v3 9.6 CRITICAL

9.6^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2	Patch
https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2	Release Notes
https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q	Vendor Advisory
https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 03:16

Updated : 2026-03-27 16:23

NVD link : CVE-2026-32890

Mitre link : CVE-2026-32890

CVE.ORG link : CVE-2026-32890

JSON object : View

Products Affected

openvessl

anchorr

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2026-32890", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T03:16:00.060", "references": [{"url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Anchorr es un bot de Discord para solicitar pel\u00edculas y programas de TV y recibir notificaciones cuando se a\u00f1aden elementos a un servidor multimedia. En las versiones 1.4.1 e inferiores, una vulnerabilidad de cross-site scripting (XSS) almacenado en el men\u00fa desplegable de Mapeo de Usuarios del panel de control web permite a cualquier usuario de Discord sin privilegios en el gremio configurado ejecutar JavaScript arbitrario en el navegador del administrador de Anchorr. Al encadenar esto con el endpoint GET /API/config (que devuelve todos los secretos en texto plano), un atacante puede exfiltrar cada credencial almacenada en Anchorr, lo que incluye DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET y hashes de contrase\u00f1a bcrypt sin ninguna autenticaci\u00f3n a Anchorr mismo. Este problema ha sido solucionado en la versi\u00f3n 1.4.2."}], "lastModified": "2026-03-27T16:23:02.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "584CDEBF-7E62-4732-A6FD-64B3384C3834", "versionEndIncluding": "1.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}