Home / Vulnerability Intelligence / CVE-2026-32891

CVE-2026-32891 - Vulnerability Analysis

CriticalCVSS: 9.0

Last Updated: March 20, 2026

Anchorr - Stored XSS

Published: March 20, 2026Updated: March 20, 2026Remote Exploitable

Overview

Anchorr <= 1.4.1 contains a stored XSS caused by unsanitized input in the Jellyseerr user selector, letting any account holder execute arbitrary JavaScript in the admin's browser, exploit requires attacker to have an account.

Severity & Score

Severity: Critical

CVSS Score: 9.0

EPSS Score: 2.7%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary JavaScript, steal admin session tokens, and gain full admin access including API keys, leading to full account takeover.

Mitigation

Upgrade to version 1.4.2 or later.

References

Social Media Activity(1 post)

TheHackerWire

@thehackerwire

Mar 20, 2026

🔴 CVE-2026-32891 - Critical (9) Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. Versions 1.4.1 and below contain a stored XSS vulnerability in the Jellyseerr user selector. Jellyseerr allows any acco... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-32891/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID: CVE-2026-32891
Severity: Critical
CVSS Score: 9.0
Type: stored_xss
Status: unconfirmed
EPSS: 2.7%
Social Posts: 1

CWE

CWE-80

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

EPSS Score

2.7%Probability of exploitation in the next 30 days