Cyber Posture

CVE-2026-32891

Critical

Published: 20 March 2026

Published
20 March 2026
Modified
27 March 2026
KEV Added
Patch
CVSS Score 9.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0002 6.3th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32891 is a critical-severity Basic XSS (CWE-80) vulnerability in Openvessl Anchorr. Its CVSS base score is 9.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Threat & Defense at a Glance

What attackers do: exploitation maps to JavaScript (T1059.007) and 3 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Validates and sanitizes user inputs in the Jellyseerr user selector to block injection of malicious JavaScript payloads that enable stored XSS.

SI-15 Information Output Filtering good match
prevent

Filters and encodes information outputs when rendering the Jellyseerr user selector to prevent execution of injected JavaScript in the admin's browser session.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of the specific stored XSS flaw by upgrading Anchorr to version 1.4.2, eliminating the vulnerability in the Jellyseerr user selector.

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
attack.mitre.org →
Why these techniques?

Stored XSS directly enables arbitrary JS execution in admin browser (T1059.007), facilitating browser session hijacking (T1185), web session token/cookie theft (T1539), and exposure of API keys/tokens from config (T1552).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account…

more

holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2.

Deeper analysisAI

CVE-2026-32891 is a stored cross-site scripting (XSS) vulnerability, classified under CWE-80, CWE-212, and CWE-311, affecting Anchorr, a Discord bot for requesting movies and TV shows while providing notifications for additions to a media server. The flaw resides in the Jellyseerr user selector component in versions 1.4.1 and earlier. It enables arbitrary JavaScript execution within the browser session of an Anchorr administrator, triggered by the injected script calling the authenticated /api/config endpoint to retrieve the full application configuration in plaintext. The vulnerability carries a CVSS v3.1 base score of 9.0 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H).

Any Anchorr account holder with low privileges can exploit this issue by injecting malicious JavaScript via the Jellyseerr user selector. Exploitation requires user interaction, as an administrator must view the affected selector for the script to execute in their browser context. Successful exploitation allows the attacker to forge a valid Anchorr session token, granting full unauthorized access to the admin dashboard without knowledge of the admin password. Additionally, the exposed configuration reveals API keys and tokens, enabling simultaneous account takeovers of the integrated Jellyfin media server (via JELLYFIN_API_KEY), Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN).

The issue has been addressed in Anchorr version 1.4.2, as detailed in the project's GitHub release notes and security advisory (GHSA-6mg4-788h-7g9g). Security practitioners should immediately upgrade to the patched version and review exposed configurations for potential compromise, particularly in environments integrating media servers and Discord bots.

Details

CWE(s)
CWE-80CWE-212CWE-311

Affected Products

openvessl
anchorr
≤ 1.4.1

CVEs Like This One

CVE-2026-32890Same product: Openvessl Anchorr
CVE-2026-33080Shared CWE-80
CVE-2025-53835Shared CWE-80
CVE-2026-43824Shared CWE-212
CVE-2025-22501Shared CWE-80
CVE-2025-29314Shared CWE-311
CVE-2025-14835Shared CWE-80
CVE-2026-28678Shared CWE-311
CVE-2025-24680Shared CWE-80
CVE-2024-13497Shared CWE-80

References