{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32722", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-13T15:02:00.625Z", "datePublished": "2026-03-18T21:25:21.495Z", "dateUpdated": "2026-03-19T17:39:50.970Z"}, "containers": {"cna": {"title": "Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9"}, {"name": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249", "tags": ["x_refsource_MISC"], "url": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249"}, {"name": "https://github.com/bloomberg/memray/releases/tag/v1.19.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/bloomberg/memray/releases/tag/v1.19.2"}], "affected": [{"vendor": "bloomberg", "product": "memray", "versions": [{"version": "< 1.19.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T21:25:21.495Z"}, "descriptions": [{"lang": "en", "value": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue."}], "source": {"advisory": "GHSA-r5pr-887v-m2w9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T17:28:46.936648Z", "id": "CVE-2026-32722", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T17:39:50.970Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32722", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-19T17:28:46.936648Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T17:39:47.037Z"}}], "cna": {"title": "Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata", "source": {"advisory": "GHSA-r5pr-887v-m2w9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 3.6, "attackVector": "LOCAL", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "bloomberg", "product": "memray", "versions": [{"status": "affected", "version": "< 1.19.2"}]}], "references": [{"url": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9", "name": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249", "name": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/bloomberg/memray/releases/tag/v1.19.2", "name": "https://github.com/bloomberg/memray/releases/tag/v1.19.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-18T21:25:21.495Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32722", "state": "PUBLISHED", "dateUpdated": "2026-03-19T17:39:50.970Z", "dateReserved": "2026-03-13T15:02:00.625Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-18T21:25:21.495Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:*", "matchCriteriaId": "09B42289-015F-4BFB-9F71-1299C86C535D", "versionEndExcluding": "1.19.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue."}], "id": "CVE-2026-32722", "lastModified": "2026-03-19T19:21:28.677", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 3.6, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-18T22:16:24.670", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/bloomberg/memray/releases/tag/v1.19.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.19.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "memray", "source": "cna", "vendor": "bloomberg"}, "product": "memray", "vendor": "bloomberg"}], "analysis": {"en": {"generated_at": "2026-03-19T20:22:32.924134+00:00", "value": {"mitigation_remediation": ["Upgrade memray to version 1.19.2 or later."], "summary": {"action": "Apply Patch", "impact": "Stored XSS via unescaped command-line metadata"}, "threat_synthesis": {"affected_systems": "The affected product is Bloomberg\u2019s memray, available for all platforms that support Python. All releases older than v1.19.2 are vulnerable. No further version granularity is listed in the vendor data, but the advisory explicitly states that v1.19.2 contains the fix and earlier releases do not.", "description_and_impact": "Memray is a Python memory profiler that generates HTML reports. In versions prior to 1.19.2, the profiler inserts the command line of the profiled process directly into the report without escaping. This omission allows an attacker who can influence the command line to embed arbitrary JavaScript that is executed when a victim opens the report in a web browser. The vulnerability is a classic stored cross\u2011site scripting flaw (CWE\u201179) and could lead to theft of session data, credential compromise, or arbitrary client\u2011side script execution.", "risk_and_exploitability": "The CVSS score is 3.6, indicating low severity, and the EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control the command line of a process that memray profiles and then have a user open the resulting HTML report, pointing to a local or potentially network\u2011shared file. Because the attack vector is client\u2011side and not a network\u2011based remote service, the risk is limited but still worth addressing to prevent accidental or intentional client\u2011side compromise."}}}}, "created": "2026-03-19T08:55:26.011733+00:00", "updated": "2026-03-25T11:52:08.631360+00:00", "vendors": ["bloomberg", "bloomberg$PRODUCT$memray"]}