Skip to main content

Anchorr

2 CVEs product

Monthly

CVE-2026-32891 CRITICAL PATCH Act Now

A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.

XSS Anchorr
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-32890 CRITICAL PATCH Act Now

A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.

XSS Anchorr
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
EPSS 0% CVSS 9.0
CRITICAL PATCH Act Now

A stored cross-site scripting (XSS) vulnerability in Anchorr Discord bot versions 1.4.1 and below allows authenticated Jellyseerr users to execute arbitrary JavaScript in admin browser sessions. The XSS payload can exfiltrate the full application configuration including session tokens and API keys for integrated services (Jellyfin, Jellyseerr, Discord), enabling complete account takeover across all connected platforms without requiring admin credentials. This vulnerability is tagged as XSS in ENISA's database (EUVD-2026-13503) with a CVSS score of 9.0, though no EPSS score, KEV listing, or public POC availability is reported in the provided data.

XSS Anchorr
NVD GitHub VulDB
EPSS 0% CVSS 9.6
CRITICAL PATCH Act Now

A stored Cross-site Scripting (XSS) vulnerability exists in the Anchorr Discord bot's web dashboard User Mapping dropdown that allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in an administrator's browser. This can be chained with an unauthenticated API endpoint (/api/config) to exfiltrate all stored credentials including Discord tokens, Jellyfin API keys, Jellyseerr API keys, JWT secrets, webhook secrets, and bcrypt password hashes. The vulnerability affects Anchorr versions 1.4.1 and below, with a critical CVSS score of 9.6 indicating network-based exploitation with low complexity and no authentication required.

XSS Anchorr
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy