Plattform
nodejs
Komponente
anchorr
Behoben in
1.4.3
CVE-2026-32890 describes a stored Cross-site Scripting (XSS) vulnerability affecting Anchorr, a Discord bot used for media requests. This vulnerability allows unprivileged Discord users to execute arbitrary JavaScript within the Anchorr administrator's browser, potentially leading to complete credential compromise. The vulnerability impacts versions 1.4.1 and earlier, and a fix is available in version 1.4.2.
The primary impact of CVE-2026-32890 is the potential for credential theft. Successful exploitation allows an attacker to inject malicious JavaScript code into the Anchorr web dashboard's User Mapping dropdown. When an administrator views this dropdown, the injected script executes within their browser context. The description explicitly mentions the /api/config endpoint returns all stored secrets in plaintext, including the Discord bot token (DISCORDTOKEN), Jellyfin API key (JELLYFINAPIKEY), and Jellyseer API key (JELLYSEERRAPI_KEY). Compromise of these credentials grants the attacker full control over the bot, potentially enabling unauthorized access to media servers, data exfiltration, and further malicious activities within the Discord server.
CVE-2026-32890 was publicly disclosed on 2026-03-20. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's ease of exploitation (requiring only unprivileged Discord user access) suggests a high probability of exploitation. The vulnerability's impact, combined with the lack of authentication required to trigger it, warrants immediate attention. It is not currently listed on CISA KEV.
Discord server owners and administrators using Anchorr are at significant risk. Specifically, those who have configured the web dashboard with broad access permissions or have not implemented strong authentication measures are particularly vulnerable. Shared hosting environments where multiple Discord bots are hosted on the same server also increase the risk of lateral movement.
• nodejs / server: Monitor Anchorr logs for unusual JavaScript execution patterns. Use lsof or ss to check for unexpected network connections from the Anchorr process.
lsof -i -p $(pidof anchorr)• generic web: Examine the web dashboard's User Mapping dropdown for suspicious input fields or unusual behavior. Check access logs for requests to /api/config from unauthorized users.
grep '/api/config' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.06% (18% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-32890 is to immediately upgrade Anchorr to version 1.4.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the web dashboard to only trusted administrators. While a direct WAF rule is difficult to implement for XSS, monitoring the web dashboard for unusual JavaScript execution patterns could provide early detection. Review the Anchorr codebase for other potential vulnerabilities after upgrading. After upgrading, confirm the fix by attempting to trigger the XSS vulnerability in the User Mapping dropdown and verifying that the script is no longer executed.
Aktualisieren Sie Anchorr auf Version 1.4.2 oder höher. Diese Version behebt die gespeicherte XSS-Schwachstelle und verhindert die Exfiltration sensibler Anmeldeinformationen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32890 is a critical stored XSS vulnerability in Anchorr versions 1.4.1 and below. It allows unprivileged Discord users to execute JavaScript, potentially stealing sensitive credentials.
If you are using Anchorr version 1.4.1 or earlier, you are affected by this vulnerability. Upgrade to version 1.4.2 to mitigate the risk.
The recommended fix is to upgrade Anchorr to version 1.4.2 or later. If upgrading is not immediately possible, restrict access to the web dashboard and implement a Content Security Policy.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor your systems closely.
Refer to the Anchorr project's official repository or website for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.