Xdnewlun1

**Name of the Vulnerable Software and Affected Versions** Anchorr versions 1.4.1 and below **Description** Anchorr is a Discord bot used for requesting movies and TV shows and receiving notifications about media server updates. A stored Cross-site Scripting (XSS) issue exists in the web dashboard's User Mapping dropdown, allowing any unprivileged Discord user within the configured guild to execute arbitrary JavaScript in the Anchorr administrator's browser. This can be chained with the GET `/api/config` endpoint, which returns all secrets in plaintext. An attacker can potentially exfiltrate credentials including `DISCORD TOKEN`, `JELLYFIN API KEY`, `JELLYSEERR API KEY`, `JWT SECRET`, `WEBHOOK SECRET`, and bcrypt password hashes without authentication to Anchorr. **Recommendations** Update to version 1.4.2 or later.