CVE-2026-32890

{"id": "CVE-2026-32890", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.6, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.8}]}, "published": "2026-03-20T03:16:00.060", "references": [{"url": "https://github.com/openVESSL/Anchorr/commit/d5ae67e5b455241274ed0072cf2db43a6eb3f0b2", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/openVESSL/Anchorr/security/advisories/GHSA-qpmq-6wjc-w28q", "tags": ["Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}, {"lang": "en", "value": "CWE-200"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2."}, {"lang": "es", "value": "Anchorr es un bot de Discord para solicitar pel\u00edculas y programas de TV y recibir notificaciones cuando se a\u00f1aden elementos a un servidor multimedia. En las versiones 1.4.1 e inferiores, una vulnerabilidad de cross-site scripting (XSS) almacenado en el men\u00fa desplegable de Mapeo de Usuarios del panel de control web permite a cualquier usuario de Discord sin privilegios en el gremio configurado ejecutar JavaScript arbitrario en el navegador del administrador de Anchorr. Al encadenar esto con el endpoint GET /API/config (que devuelve todos los secretos en texto plano), un atacante puede exfiltrar cada credencial almacenada en Anchorr, lo que incluye DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET y hashes de contrase\u00f1a bcrypt sin ninguna autenticaci\u00f3n a Anchorr mismo. Este problema ha sido solucionado en la versi\u00f3n 1.4.2."}], "lastModified": "2026-03-27T16:23:02.673", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "584CDEBF-7E62-4732-A6FD-64B3384C3834", "versionEndIncluding": "1.4.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}