CVE-2026-32722

Name of the Vulnerable Software and Affected Versions Memray versions prior to 1.19.2

Description Memray, a memory profiler for Python, did not properly escape command line arguments when rendering them into generated HTML reports. This allowed attacker-controlled command line arguments to be inserted as raw HTML into the report. When a victim opens the generated report in a browser, this can lead to JavaScript execution. The issue affects reports generated by both memray flamegraph and memray table commands, with or without the --no-web option. An attacker who can influence the script name or command-line arguments of a profiled program can inject HTML/JavaScript into Memray-generated HTML reports. The root cause is the lack of HTML escaping when embedding process command line arguments into the generated flame graph or table report using Jinja.

Recommendations Upgrade to Memray version 1.19.2. Avoid attaching Memray to untrusted processes until you have upgraded.