1.19.3
1.19.2
CVE-2026-32722 describes a cross-site scripting (XSS) vulnerability affecting Memray versions up to 1.9.1. This vulnerability allows attackers to inject malicious HTML into generated reports by manipulating process command line arguments. Exploitation occurs when a user views the report in a web browser, potentially leading to JavaScript execution. A fix is available in Memray 1.19.2.
The primary impact of CVE-2026-32722 is the potential for arbitrary JavaScript execution within the context of a user's browser. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the report. The vulnerability arises because Memray fails to properly escape command line arguments when rendering them in HTML reports. This lack of sanitization allows attackers to inject arbitrary HTML and JavaScript code. The blast radius is limited to users who view reports generated by Memray attached to processes controlled by an attacker.
CVE-2026-32722 was publicly disclosed on 2026-03-16. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. The CVSS score is LOW (3.6), indicating a relatively low probability of exploitation in the absence of a public exploit.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-32722 is to upgrade Memray to version 1.19.2 or later, which addresses the vulnerability. If upgrading is not immediately feasible, avoid attaching Memray to untrusted processes until the upgrade can be performed. Consider implementing input validation on command line arguments passed to the processes being monitored to reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it relies on the context of report generation.
Actualice la biblioteca Memray a la versión 1.19.2 o superior. Esto solucionará la vulnerabilidad de Cross-Site Scripting (XSS) almacenado al escapar correctamente los metadatos de la línea de comandos en los informes HTML generados.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32722 is a cross-site scripting vulnerability in Memray versions 1.19.1 and earlier. It allows attackers to inject malicious HTML into generated reports, potentially leading to JavaScript execution.
If you are using Memray version 1.19.1 or earlier, you are affected by this vulnerability. Check your Memray version using memray --version.
Upgrade Memray to version 1.19.2 or later to resolve the vulnerability. Avoid attaching Memray to untrusted processes until the upgrade is complete.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-32722.
Refer to the Memray project's official channels (website, GitHub repository) for the latest advisory and updates regarding CVE-2026-32722.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.