{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32890", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.422Z", "datePublished": "2026-03-20T02:35:22.545Z", "dateUpdated": "2026-03-20T02:35:22.545Z"}, "containers": {"cna": {"title": "Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q"}, {"name": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2"}, {"name": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2"}], "affected": [{"vendor": "openVESSL", "product": "Anchorr", "versions": [{"version": "< 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:35:22.545Z"}, "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}], "source": {"advisory": "GHSA-qpmq-6wjc-w28q", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}], "id": "CVE-2026-32890", "lastModified": "2026-03-20T03:16:00.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:16:00.060", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2"}, {"source": "security-advisories@github.com", "url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Anchorr", "source": "cna", "vendor": "openVESSL"}, "product": "anchorr", "vendor": "openvessl"}], "analysis": {"en": {"generated_at": "2026-03-20T04:22:50.850346+00:00", "value": {"mitigation_remediation": ["Apply the latest Anchorr 1.4.2 release or later to eliminate the XSS flaw.", "Restrict unprivileged Discord users from accessing the User Mapping dropdown or suspend their dashboard access until a patch can be applied."], "summary": {"action": "Apply Patch", "impact": "Credential Theft via Stored XSS"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in openVESSL:Anchorr versions 1.4.1 and earlier. The issue was fixed in version 1.4.2 and later releases.", "description_and_impact": "Anchorr, a Discord bot that manages media requests, contains a stored Cross\u2011Site Scripting (XSS) flaw in its User Mapping dropdown. An attacker who is an unprivileged Discord user in the configured guild can inject malicious JavaScript, which is executed in the browser of any future administrators who open the management dashboard. The attacker can then make a GET request to /api/config, which returns all credential data in plaintext, including DISC\"OD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes. This combination of stored XSS and a non\u2011protected configuration endpoint allows secret exfiltration without any authentication to Anchorr itself.", "risk_and_exploitability": "The CVSS base score is 9.7, indicating a critical impact. The exploit requires that an unprivileged Discord user be present in the guild and that an administrator browser later load the dashboard; no additional authentication is needed to read secrets. EPSS details are not available, and the vulnerability is not listed in CISA KEV, but the high score and direct credential disclosure make it a high\u2011priority risk for bots running with privileged secrets."}}}}, "created": "2026-03-20T08:53:02.830681+00:00", "updated": "2026-03-20T10:37:46.928367+00:00", "vendors": ["openvessl", "openvessl$PRODUCT$anchorr"]}