CVE-2026-32722 - Vulnerability Details

- Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata

Description

Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.

Published: 2026-03-18

Score: 3.6 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Memray is a Python memory profiler that generates HTML reports. In versions prior to 1.19.2, the profiler inserts the command line of the profiled process directly into the report without escaping. This omission allows an attacker who can influence the command line to embed arbitrary JavaScript that is executed when a victim opens the report in a web browser. The vulnerability is a classic stored cross‑site scripting flaw (CWE‑79) and could lead to theft of session data, credential compromise, or arbitrary client‑side script execution.

Affected Systems

The affected product is Bloomberg’s memray, available for all platforms that support Python. All releases older than v1.19.2 are vulnerable. No further version granularity is listed in the vendor data, but the advisory explicitly states that v1.19.2 contains the fix and earlier releases do not.

Risk and Exploitability

The CVSS score is 3.6, indicating low severity, and the EPSS score is below 1%, suggesting a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to control the command line of a process that memray profiles and then have a user open the resulting HTML report, pointing to a local or potentially network‑shared file. Because the attack vector is client‑side and not a network‑based remote service, the risk is limited but still worth addressing to prevent accidental or intentional client‑side compromise.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

bloomberg

memray

affected

Version	Status	Constraints
`< 1.19.2`	affected	—

Configuration 1 [-]

cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:*

No data.

Vendor Product Confidence Versions

Bloomberg

Memray

100%

Version	Status	Scheme	Platform
`[0,1.19.2)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade memray to version 1.19.2 or later.

Generated by OpenCVE AI on March 19, 2026 at 20:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-r5pr-887v-m2w9	Stored XSS in Memray-generated HTML reports via unescaped command-line metadata

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00013.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249
https://github.com/bloomberg/memray/releases/tag/v1.19.2
https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9

History

Thu, 19 Mar 2026 19:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:bloomberg:memray::::::python::*

Thu, 19 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 19 Mar 2026 09:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Bloomberg Bloomberg memray
Vendors & Products		Bloomberg Bloomberg memray

Wed, 18 Mar 2026 21:30:00 +0000

Type	Values Removed	Values Added
Description		Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
Title		Memray-generated HTML reports vulnerable to Stored XSS via unescaped command-line metadata
Weaknesses		CWE-79
References		https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249 https://github.com/bloomberg/memray/releases/tag/v1.19.2 https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9
Metrics		cvssV3_1 `{'score': 3.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N'}`

Subscriptions

Bloomberg Memray

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-18T21:25:21.495Z

Updated: 2026-03-19T17:39:50.970Z

Reserved: 2026-03-13T15:02:00.625Z

Link: CVE-2026-32722

Vulnrichment

Updated: 2026-03-19T17:39:47.037Z

NVD

Status : Analyzed

Published: 2026-03-18T22:16:24.670

Modified: 2026-03-19T19:21:28.677

Link: CVE-2026-32722

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-25T11:52:08Z

Weaknesses

CWE-79

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object