CVE-2026-32890

EPSS 0.06%
Veröffentlicht 20.03.2026 03:16:00
Zuletzt bearbeitet 27.03.2026 16:23:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Openvessl ≫ Anchorr Version <= 1.4.1

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.06%	0.187

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
security-advisories@github.com	9.6	2.8	6	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2

Patch

https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2

Release Notes

https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2026-32890

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-32890

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-32890

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-32890