Skip to main content

Anchorr EUVDEUVD-2026-13503

| CVE-2026-32891 CRITICAL
Basic XSS (CWE-80)
2026-03-20 security-advisories@github.com
9.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.0 CRITICAL
AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Analysis Updated
Apr 16, 2026 - 05:49 EUVD-patch-fix
executive_summary
Re-analysis Queued
Apr 16, 2026 - 05:29 backfill_euvd_patch
patch_released
Patch available
Apr 16, 2026 - 05:29 EUVD
1.4.2
EUVD ID Assigned
Mar 20, 2026 - 08:37 euvd
EUVD-2026-13503
Analysis Generated
Mar 20, 2026 - 08:37 vuln.today
CVE Published
Mar 20, 2026 - 03:16 nvd
CRITICAL 9.0

DescriptionGitHub Advisory

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2.

AnalysisAI

A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.

Technical ContextAI

Anchorr is an open-source Discord bot that integrates with Jellyfin media servers and Jellyseerr request management systems. The vulnerability (CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page) exists in the Jellyseerr user selector component where user-controlled input is not properly sanitized before rendering in the admin interface. When malicious JavaScript is stored via the selector and subsequently rendered in an administrator's browser, it executes with the admin's privilege level and can invoke authenticated API endpoints like /api/config. This endpoint inappropriately returns sensitive configuration data including JELLYFIN_API_KEY, JELLYSEERR_API_KEY, and DISCORD_TOKEN in plaintext to authenticated sessions, compounding the stored XSS with excessive information disclosure.

RemediationAI

Upgrade Anchorr to version 1.4.2 or later, which contains a fix for this vulnerability as documented in the release notes at https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2. Review the GitHub security advisory at https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g for additional guidance. After upgrading, immediately rotate all exposed credentials including JELLYFIN_API_KEY, JELLYSEERR_API_KEY, and DISCORD_TOKEN as these may have been compromised if an attack occurred prior to patching. Until patching is complete, restrict admin dashboard access to trusted networks only and avoid interacting with user-submitted content in Jellyseerr selectors. Consider implementing Content Security Policy headers to mitigate XSS execution if feasible in the deployment environment.

Share

EUVD-2026-13503 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy