Skip to main content

Anchorr CVE-2026-32890

| EUVDEUVD-2026-13501 CRITICAL
Cross-site Scripting (XSS) (CWE-79)
2026-03-20 security-advisories@github.com
9.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.6 CRITICAL
AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.2
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13501
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 03:16 nvd
CRITICAL 9.6

DescriptionGitHub Advisory

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.

AnalysisAI

A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.

Technical ContextAI

Anchorr is a Discord bot application that integrates with media server platforms like Jellyfin and Jellyseerr to manage movie and TV show requests. The vulnerability stems from CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-site Scripting. The application fails to properly sanitize user-controlled input in the User Mapping dropdown component of its web dashboard, allowing malicious JavaScript to be stored and executed when viewed by administrators. The severity is amplified by the presence of an insecure API endpoint (/api/config) that returns sensitive configuration data including all authentication credentials in plaintext without requiring any authentication, enabling complete credential theft through XSS payload execution.

RemediationAI

Immediately upgrade Anchorr to version 1.4.2 or later, which contains patches for both the stored XSS vulnerability and the unauthenticated API endpoint issue. The fix commit is available at https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2 and the patched release can be downloaded from https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2. Until patching is complete, organizations should immediately rotate all credentials stored in Anchorr including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, and webhook secrets, as these may have been compromised. Additionally, restrict access to the Anchorr web dashboard to trusted IP addresses only via firewall rules or reverse proxy configuration, and consider temporarily disabling the web dashboard if not immediately required for operations.

Share

CVE-2026-32890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy