Platform
nodejs
Component
anchorr
Fixed in
1.4.3
CVE-2026-32890 describes a stored Cross-site Scripting (XSS) vulnerability affecting Anchorr, a Discord bot used for media requests. This vulnerability allows unprivileged Discord users to execute arbitrary JavaScript within the Anchorr administrator's browser, potentially leading to complete credential compromise. The vulnerability impacts versions 1.4.1 and earlier, and a fix is available in version 1.4.2.
The XSS vulnerability in Anchorr’s web dashboard’s User Mapping dropdown presents a severe risk. An attacker can inject malicious JavaScript code that executes in the context of the Anchorr administrator's browser. Crucially, the /api/config endpoint returns all stored secrets in plaintext, including the Discord bot token (DISCORD_TOKEN) and API keys for Jellyfin and Jellyseer. Successful exploitation allows an attacker to gain complete control over the bot, access sensitive media data, and potentially compromise other connected services. The blast radius extends beyond the Discord server itself, potentially impacting any services integrated with Anchorr.
This vulnerability was publicly disclosed on 2026-03-20. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploitation (requiring only a Discord user account within the configured guild) suggests a high probability of exploitation. The vulnerability's impact (credential theft) makes it a high-priority target. It is not currently listed on CISA KEV.
Exploit Status
EPSS
0.06% (18% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32890 is to immediately upgrade Anchorr to version 1.4.2 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider restricting access to the web dashboard to only trusted administrators. Implement a Content Security Policy (CSP) to limit the execution of inline scripts and external resources. Monitor the /api/config endpoint for unauthorized access attempts. While a WAF might offer some protection, it is not a substitute for patching the vulnerability.
Update Anchorr to version 1.4.2 or higher. This version fixes the stored XSS vulnerability and prevents the exfiltration of sensitive credentials.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32890 is a critical stored XSS vulnerability in Anchorr versions 1.4.1 and below. It allows unprivileged Discord users to execute JavaScript, potentially stealing sensitive credentials.
If you are using Anchorr version 1.4.1 or earlier, you are affected by this vulnerability. Upgrade to version 1.4.2 to mitigate the risk.
The recommended fix is to upgrade Anchorr to version 1.4.2 or later. If upgrading is not immediately possible, restrict access to the web dashboard and implement a Content Security Policy.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a high probability of exploitation. Monitor your systems closely.
Refer to the Anchorr project's official repository or website for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.