CVE-2026-32890CRITICAL 9.6EPSS p34.0%

CVE-2026-32890CVE-2026-32890

Description

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.

Scoring

CVSS 3.19.6 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS0.43% probability of exploitation · percentile 34.0% · 2026-06-19T12:03:05Z
Published2026-03-20
Last modified2026-03-27

Underlying weaknesses· 2

CWE-79CWE-200

References

  1. https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2
  2. https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2
  3. https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q
  4. https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q

2

TypeTargetConfidenceTier
WeaknessExposure of Sensitive Information to an Unauthorized Actorcwe-2000%live
WeaknessImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')cwe-790%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-32891
CVE
CVE-2025-48236
CVE
CVE-2026-11265
CVE
CVE-2026-50231
CVE
CVE-2026-10210
CVE
CVE-2025-26210
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.