Home / Vulnerability Intelligence / CVE-2026-32891

CVE-2026-32891 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: March 20, 2026

Anchorr - Stored XSS

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

Anchorr <= 1.4.1 contains a stored XSS caused by unsanitized input in the Jellyseerr user selector, letting any account holder execute arbitrary JavaScript in the admin's browser, exploit requires attacker to have an account.

Severity & Score

Severity: Critical

CVSS Score: 9.0

Impact

Attackers can execute arbitrary JavaScript, steal admin session tokens, and gain full admin access including API keys, leading to full account takeover.

Mitigation

Upgrade to version 1.4.2 or later.

References

https://github.com/openVESSL/Anchorr/security/advisories/GHSA-6mg4-788h-7g9g
https://github.com/openVESSL/Anchorr/releases/tag/v1.4.2

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32891
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: new

CWE

CWE-80

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H