{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32890", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.422Z", "datePublished": "2026-03-20T02:35:22.545Z", "dateUpdated": "2026-03-20T18:08:39.685Z"}, "containers": {"cna": {"title": "Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q"}, {"name": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2"}, {"name": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2"}], "affected": [{"vendor": "openVESSL", "product": "Anchorr", "versions": [{"version": "< 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:35:22.545Z"}, "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}], "source": {"advisory": "GHSA-qpmq-6wjc-w28q", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T16:54:48.268475Z", "id": "CVE-2026-32890", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T18:08:39.685Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32890", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T16:54:48.268475Z"}}}], "references": [{"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T16:54:58.814Z"}}], "cna": {"title": "Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config", "source": {"advisory": "GHSA-qpmq-6wjc-w28q", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.7, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "openVESSL", "product": "Anchorr", "versions": [{"status": "affected", "version": "< 1.4.2"}]}], "references": [{"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "name": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "name": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "name": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:35:22.545Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32890", "state": "PUBLISHED", "dateUpdated": "2026-03-20T18:08:39.685Z", "dateReserved": "2026-03-16T21:03:44.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-20T02:35:22.545Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*", "matchCriteriaId": "584CDEBF-7E62-4732-A6FD-64B3384C3834", "versionEndIncluding": "1.4.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Anchorr es un bot de Discord para solicitar pel\u00edculas y programas de TV y recibir notificaciones cuando se a\u00f1aden elementos a un servidor multimedia. En las versiones 1.4.1 e inferiores, una vulnerabilidad de cross-site scripting (XSS) almacenado en el men\u00fa desplegable de Mapeo de Usuarios del panel de control web permite a cualquier usuario de Discord sin privilegios en el gremio configurado ejecutar JavaScript arbitrario en el navegador del administrador de Anchorr. Al encadenar esto con el endpoint GET /API/config (que devuelve todos los secretos en texto plano), un atacante puede exfiltrar cada credencial almacenada en Anchorr, lo que incluye DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET y hashes de contrase\u00f1a bcrypt sin ninguna autenticaci\u00f3n a Anchorr mismo. Este problema ha sido solucionado en la versi\u00f3n 1.4.2."}], "id": "CVE-2026-32890", "lastModified": "2026-03-27T16:23:02.673", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-20T03:16:00.060", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"], "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Anchorr", "source": "cna", "vendor": "openVESSL"}, "product": "anchorr", "vendor": "openvessl"}], "analysis": {"en": {"generated_at": "2026-03-27T17:29:12.094805+00:00", "value": {"mitigation_remediation": ["Upgrade Anchorr to version 1.4.2 or newer, where the XSS vulnerability and open /api/config endpoint have been fixed.", "If upgrading is delayed, immediately remove or restrict access to the User Mapping dropdown so that only trusted administrators can edit it.", "Restrict access to the /api/config endpoint, requiring authentication or removing it entirely from the deployment.", "Verify that the bot\u2019s administrative dashboard is only accessed over secure HTTPS connections and limit exposure to internal networks when possible.", "Regularly review and audit the bot\u2019s configuration files and secret storage to detect any unauthorized changes."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution leading to credential theft"}, "threat_synthesis": {"affected_systems": "The issue affects the openVESSL Anchorr bot version 1.4.1 and all earlier releases. The bug exists in the web dashboard component of the bot. Users running these versions and operating the administrative dashboard are vulnerable. Updates to Anchorr v1.4.2 and later contain the fix.", "description_and_impact": "Anchorr, a Discord bot used for media requests, contains a stored cross\u2011site scripting flaw in the web dashboard\u2019s User Mapping dropdown. An attacker who is an unprivileged member of the configured Discord guild can insert malicious JavaScript into this field. When the bot\u2019s administrator later visits the dashboard, the stored payload is executed in the administrator\u2019s browser, enabling the attacker to run arbitrary code with the same privileges as the admin. The attacker can then call the unprotected GET /api/config endpoint, which returns all credentials in plaintext, including DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes. The vulnerability is categorized as CWE\u201179 and CWE\u2011200 and carries a CVSS score of 9.7.", "risk_and_exploitability": "The flaw is high\u2011severity with an EPS score below 1\u202f% and is not listed in the CISA KEV catalog, indicating low current exploitation activity. However, the vulnerability can be leveraged without any authentication against Anchorr itself; the only requirement is that the attacker has Discord membership in the guild configured for the bot. Because the stored payload runs in the administrator\u2019s browser, any compromised admin session leads to full credential theft. The attack path is straightforward: an attacker injects malicious JavaScript via the dropdown, the next admin who views the dashboard triggers the payload, and the attacker exfiltrates secrets via the unsecured /api/config endpoint."}}}}, "created": "2026-03-20T08:53:02.830681+00:00", "updated": "2026-03-27T20:26:52.305325+00:00", "vendors": ["openvessl", "openvessl$PRODUCT$anchorr"]}