Cyber Posture

CVE-2026-32890

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0003 7.9th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32890 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Openvessl Anchorr. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Requires validation and sanitization of inputs from Discord users to the User Mapping dropdown to prevent injection and storage of malicious JavaScript payloads.

SI-15 Information Output Filtering good match
prevent

Mandates filtering and encoding of stored user mapping data when output to the web dashboard, blocking execution of injected scripts in the admin's browser.

SI-2 Flaw Remediation good match
prevent

Directs timely remediation of the identified XSS flaw and associated sensitive data exposure, as fixed in Anchorr version 1.4.2.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1528 Steal Application Access Token Credential Access
Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.
attack.mitre.org →
Why these techniques?

Stored XSS in public web dashboard directly enables T1190 (exploiting the app), T1059.007 (malicious JS payload execution), T1185 (browser context hijack of admin session), and T1528 (exfiltration of API tokens/secrets via chained unauthenticated endpoint).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown…

more

allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.

Deeper analysisAI

CVE-2026-32890 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-200 (Exposure of Sensitive Information), affecting Anchorr versions 1.4.1 and prior. Anchorr is an open-source Discord bot designed for requesting movies and TV shows while providing notifications when items are added to a media server. The flaw resides in the web dashboard's User Mapping dropdown, where insufficient input sanitization enables the injection and persistent storage of malicious JavaScript. The vulnerability carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating high severity due to its network accessibility and potential for significant impact.

Any unprivileged Discord user within the configured guild can exploit this vulnerability by injecting malicious payloads into the User Mapping dropdown. When an Anchorr administrator views the dashboard, the stored script executes in their browser context, granting the attacker the admin's privileges. Attackers can chain this with the unauthenticated GET /api/config endpoint, which exposes all stored secrets in plaintext—including DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes—allowing full credential exfiltration without direct authentication to Anchorr.

The GitHub security advisory (GHSA-qpmq-6wjc-w28q) and related commit (d5ae67e5b455241274ed0072cf2db43a6eb3f0b2) detail the fix implemented in Anchorr version 1.4.2, released to address the XSS injection and sensitive data exposure. Security practitioners should immediately upgrade to v1.4.2 or later, audit Discord guild configurations for untrusted users, and review admin browser activity for signs of compromise. The release notes confirm the patch resolves the issue without introducing breaking changes.

Details

CWE(s)
CWE-79CWE-200

Affected Products

openvessl
anchorr
≤ 1.4.1

CVEs Like This One

CVE-2026-32891Same product: Openvessl Anchorr
CVE-2025-27405Shared CWE-79
CVE-2026-25156Shared CWE-79
CVE-2025-69096Shared CWE-79
CVE-2025-15440Shared CWE-79
CVE-2026-22524Shared CWE-79
CVE-2026-4803Shared CWE-79
CVE-2025-40587Shared CWE-79
CVE-2026-26930Shared CWE-79
CVE-2025-23998Shared CWE-79

References