EUVD-2026-13501
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
3Tags
Description
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.
Analysis
A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running Anchorr and isolate the affected instances from production networks; conduct immediate audit of API access logs for suspicious activity. Within 7 days: Rotate all exposed credentials (Discord tokens, Jellyfin/Jellyseerr API keys, JWT secrets, webhook secrets) and reset administrator passwords; implement network-level access controls to restrict dashboard access to trusted IPs only. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today