CVE-2026-32891

Name of the Vulnerable Software and Affected Versions Anchorr versions 1.4.1 and below

Description Anchorr is a Discord bot used for requesting movies and TV shows and receiving notifications when items are added to a media server. A stored cross-site scripting (XSS) issue exists in the Jellyseerr user selector. This allows any account holder to execute arbitrary JavaScript in the Anchorr administrator's browser session. The injected script targets the /api/config API endpoint, which returns the full application configuration in plaintext. Successful exploitation enables an attacker to forge a valid Anchorr session token, gaining full administrative access to the dashboard without knowing the administrator's password. The response also reveals API keys and tokens for integrated services, potentially leading to account takeover of the Jellyfin media server (via JELLYFIN API KEY), the Jellyseerr request manager (via JELLYSEERR API KEY), and the Discord bot (via DISCORD TOKEN).

Recommendations Anchorr versions 1.4.1 and below should be updated to version 1.4.2 or later.