プラットフォーム
python
コンポーネント
memray
修正版
1.19.3
1.19.2
CVE-2026-32722 describes a cross-site scripting (XSS) vulnerability affecting Memray versions up to 1.9.1. This vulnerability allows attackers to inject malicious HTML into generated reports by manipulating process command line arguments. Exploitation occurs when a user views the report in a web browser, potentially leading to JavaScript execution. A fix is available in Memray 1.19.2.
The primary impact of CVE-2026-32722 is the potential for arbitrary JavaScript execution within the context of a user's browser. An attacker could leverage this to steal session cookies, redirect users to malicious websites, or deface the report. The vulnerability arises because Memray fails to properly escape command line arguments when rendering them in HTML reports. This lack of sanitization allows attackers to inject arbitrary HTML and JavaScript code. The blast radius is limited to users who view reports generated by Memray attached to processes controlled by an attacker.
CVE-2026-32722 was publicly disclosed on 2026-03-16. There are currently no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog. The CVSS score is LOW (3.6), indicating a relatively low probability of exploitation in the absence of a public exploit.
Organizations using Memray to monitor processes, particularly those where the processes being monitored are exposed to untrusted input or external control, are at risk. This includes development teams using Memray for debugging and performance analysis, and security teams using it for incident response.
• python / memray: Inspect Memray generated reports for unusual HTML or JavaScript code. Look for injected <script> tags or event handlers.
• python / memray: Check Memray version using memray --version. If the version is less than 1.19.2, the system is vulnerable.
• generic web: Examine Memray report files (typically HTML) for suspicious code.
• generic web: Monitor web server access logs for requests to Memray report generation endpoints with unusual parameters.
disclosure
エクスプロイト状況
EPSS
0.01% (2% パーセンタイル)
CISA SSVC
CVSS ベクトル
The recommended mitigation for CVE-2026-32722 is to upgrade Memray to version 1.19.2 or later, which addresses the vulnerability. If upgrading is not immediately feasible, avoid attaching Memray to untrusted processes until the upgrade can be performed. Consider implementing input validation on command line arguments passed to the processes being monitored to reduce the attack surface. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it relies on the context of report generation.
Memray ライブラリをバージョン 1.19.2 以降にアップデートしてください。これにより、生成された HTML レポートにおけるコマンドラインメタデータの適切なエスケープによって、Stored Cross-Site Scripting (XSS) の脆弱性が修正されます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-32722 is a cross-site scripting vulnerability in Memray versions 1.19.1 and earlier. It allows attackers to inject malicious HTML into generated reports, potentially leading to JavaScript execution.
If you are using Memray version 1.19.1 or earlier, you are affected by this vulnerability. Check your Memray version using memray --version.
Upgrade Memray to version 1.19.2 or later to resolve the vulnerability. Avoid attaching Memray to untrusted processes until the upgrade is complete.
As of the current disclosure date, there are no confirmed reports of active exploitation of CVE-2026-32722.
Refer to the Memray project's official channels (website, GitHub repository) for the latest advisory and updates regarding CVE-2026-32722.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
requirements.txt ファイルをアップロードすると、影響の有無を即座にお知らせします。