CVE-2026-32891
Stored XSS in Anchorr Jellyseerr Leads to Full Admin Takeover
Publication date: 2026-03-20
Last updated on: 2026-03-27
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openvessl | anchorr | to 1.4.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-212 | The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the resource available to unauthorized actors. |
| CWE-80 | The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages. |
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-32891 is a critical stored Cross-Site Scripting (XSS) vulnerability in Anchorr versions 1.4.1 and below, specifically in the Jellyseerr user selector. An attacker with a Jellyseerr account can inject malicious JavaScript into their display name, which executes in the Anchorr admin's browser when the admin opens the Mappings tab."}, {'type': 'paragraph', 'content': 'This injected script calls the authenticated /api/config endpoint, exposing the full application configuration including sensitive secrets like JWT_SECRET, DISCORD_TOKEN, JELLYFIN_API_KEY, and JELLYSEERR_API_KEY. With these secrets, the attacker can forge valid admin session tokens and gain full admin dashboard access without knowing the admin password.'}, {'type': 'paragraph', 'content': 'The attacker can also take over integrated services such as the Jellyfin media server, Jellyseerr request manager, and the Discord bot simultaneously. The vulnerability arises because user data is inserted into the DOM using innerHTML without proper escaping, allowing script injection.'}] [1]
How can this vulnerability impact me? :
This vulnerability can lead to a complete compromise of the Anchorr admin account and dashboard. An attacker can gain full administrative access without the admin password by forging session tokens.
Additionally, the attacker can simultaneously take over all integrated services by stealing API keys and tokens, including the Jellyfin media server, Jellyseerr request manager, and the Discord bot.
The forged tokens remain valid for seven days and cannot be invalidated by logout or password changes, allowing persistent unauthorized access until manual intervention occurs.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if your Anchorr deployment is running version 1.4.1 or below and integrated with Jellyseerr. Specifically, look for the presence of stored XSS payloads in Jellyseerr user display names or emails that are rendered unescaped in the Anchorr admin's browser."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious payloads, you can inspect the Jellyseerr user data for suspicious HTML or JavaScript code, such as <img> tags with onerror attributes.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect this vulnerability or exploitation attempts include:'}, {'type': 'list_item', 'content': 'Query the Jellyseerr user database or API for display names containing suspicious script tags or event handlers, e.g., using grep or database queries.'}, {'type': 'list_item', 'content': 'Monitor web server logs for unusual requests to the /api/config endpoint from admin sessions, which may indicate exploitation.'}, {'type': 'list_item', 'content': "Use browser developer tools or automated scanning tools to inspect the Anchorr admin dashboard's Mappings tab for unescaped user data rendering."}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade Anchorr to version 1.4.2 or later, where this vulnerability has been fixed.
Additional immediate steps include:
- Avoid opening the Mappings tab in the Anchorr admin dashboard until the upgrade is applied, to prevent triggering the stored XSS payload.
- Review and sanitize Jellyseerr user display names and emails to remove any malicious scripts or HTML tags.
- Consider rotating all exposed API keys and tokens (JWT_SECRET, DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY) to prevent unauthorized access.
- Implement server-side token revocation or blacklisting mechanisms if possible to invalidate any forged tokens.