Home / Vulnerability Intelligence / CVE-2026-32890

CVE-2026-32890 - Vulnerability Analysis

CriticalCVSS: 9.6

Last Updated: March 20, 2026

Anchorr - Stored XSS

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

Anchorr <= 1.4.1 contains a stored XSS caused by improper sanitization in the User Mapping dropdown on the web dashboard, letting unprivileged Discord users execute arbitrary JavaScript in admin's browser, exploit requires attacker to be a guild member.

Severity & Score

Severity: Critical

CVSS Score: 9.6

EPSS Score: 5.3%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript in admin's browser and exfiltrate all stored credentials, leading to full system compromise.

Mitigation

Update to version 1.4.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 20, 2026

🔴 CVE-2026-32890 - Critical (9.6) Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping drop... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32890/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32890
Severity: Critical
CVSS Score: 9.6
Type: stored_xss
Status: unconfirmed
EPSS: 5.3%
Social Posts: 1

CWE

CWE-79

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score

5.3%Probability of exploitation in the next 30 days