CVE-2026-32722
Received Received - Intake
Cross-Site Scripting in Memray HTML Reports via Command Line

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-19
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32722
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bloomberg memray to 1.19.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Memray, a memory profiler for Python, occurs because prior to version 1.19.2, Memray inserted the command line of the tracked process directly into generated HTML reports without escaping special characters.

This lack of escaping means that if an attacker controls the command line arguments, they can inject raw HTML and JavaScript into the report.

When a victim opens the generated report in a browser, the injected JavaScript can execute, leading to potential security issues.

This issue was fixed in Memray version 1.19.2 by properly escaping the command line input before rendering it in the HTML report.

Impact Analysis

This vulnerability can lead to cross-site scripting (XSS) attacks when a user opens a Memray-generated HTML report containing attacker-controlled command line arguments.

The impact includes the execution of malicious JavaScript code in the context of the victim's browser, which could be used to steal sensitive information, perform actions on behalf of the user, or deliver further attacks.

However, the CVSS score of 3.6 indicates a low severity, and the attack requires local access (attack vector: local) and user interaction (UI required).

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, upgrade Memray to version 1.19.2 or later, as this version fixes the issue by properly escaping command line arguments in generated HTML reports.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32722. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart