{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32891", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-16T21:03:44.422Z", "datePublished": "2026-03-20T02:38:43.329Z", "dateUpdated": "2026-03-20T02:38:43.329Z"}, "containers": {"cna": {"title": "Anchorr Privilege Escalation: Jellyseerr User \u2192 Anchorr Admin via Stored XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-80", "lang": "en", "description": "CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-212", "lang": "en", "description": "CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g"}, {"name": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2"}], "affected": [{"vendor": "openVESSL", "product": "Anchorr", "versions": [{"version": "< 1.4.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-20T02:38:43.329Z"}, "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2."}], "source": {"advisory": "GHSA-6mg4-788h-7g9g", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2."}], "id": "CVE-2026-32891", "lastModified": "2026-03-20T03:16:00.240", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-20T03:16:00.240", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-212"}, {"lang": "en", "value": "CWE-311"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.2)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Anchorr", "source": "cna", "vendor": "openVESSL"}, "product": "anchorr", "vendor": "openvessl"}], "analysis": {"en": {"generated_at": "2026-03-20T04:50:53.472414+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Anchorr to version 1.4.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects openVESSL\u2019s Anchorr application, specifically versions 1.4.1 and all prior releases. The vulnerable component is the Jellyseerr user selector in the Anchorr web interface. Administrators who host or run these versions should be aware that any user in the system can exploit the flaw.", "description_and_impact": "Anchorr, a Discord bot that manages media requests, contains a stored cross\u2011site scripting flaw in the Jellyseerr user selector for versions 1.4.1 and earlier. Any authenticated user can insert malicious JavaScript that executes in the browser session of an Anchorr administrator. The injected script calls the /api/config endpoint, which returns the entire application configuration in clear text, including API keys and tokens for the Jellyfin media server, the Jellyseerr request manager, and the Discord bot. An attacker can use the returned data to forge a valid admin session token, achieve full administrative control of the Anchorr dashboard without knowing the admin password, and simultaneously compromise all integrated services. The primary impact is unauthorized administrative privilege and credential theft, leading to potential data loss, unauthorized content distribution, and service disruption.", "risk_and_exploitability": "The flaw carries a CVSS v3.1 score of 9.1, indicating critical severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog, but the lack of exposure does not reduce its risk. The attack vector is inferred to require only an authenticated user account to inject malicious input; the exploit requires no special privileges beyond normal user rights. Once a valid user submits the stored XSS payload, the attacker can execute arbitrary client\u2011side code within the administrator\u2019s browser context, extract secret configuration data, forge an admin session, and gain full control. This low\u2011barrier exploitation path, combined with the high impact of credential compromise, makes the vulnerability highly exploitable in environments where multiple users interact with the bot."}}}}, "created": "2026-03-20T08:53:01.176271+00:00", "updated": "2026-03-20T10:37:45.321650+00:00", "vendors": ["openvessl", "openvessl$PRODUCT$anchorr"]}