Description
Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.
Published: 2026-03-20
Score: 9.7 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution leading to credential theft
Action: Immediate Patch
AI Analysis

Impact

Anchorr, a Discord bot used for media requests, contains a stored cross‑site scripting flaw in the web dashboard’s User Mapping dropdown. An attacker who is an unprivileged member of the configured Discord guild can insert malicious JavaScript into this field. When the bot’s administrator later visits the dashboard, the stored payload is executed in the administrator’s browser, enabling the attacker to run arbitrary code with the same privileges as the admin. The attacker can then call the unprotected GET /api/config endpoint, which returns all credentials in plaintext, including DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes. The vulnerability is categorized as CWE‑79 and CWE‑200 and carries a CVSS score of 9.7.

Affected Systems

The issue affects the openVESSL Anchorr bot version 1.4.1 and all earlier releases. The bug exists in the web dashboard component of the bot. Users running these versions and operating the administrative dashboard are vulnerable. Updates to Anchorr v1.4.2 and later contain the fix.

Risk and Exploitability

The flaw is high‑severity with an EPS score below 1 % and is not listed in the CISA KEV catalog, indicating low current exploitation activity. However, the vulnerability can be leveraged without any authentication against Anchorr itself; the only requirement is that the attacker has Discord membership in the guild configured for the bot. Because the stored payload runs in the administrator’s browser, any compromised admin session leads to full credential theft. The attack path is straightforward: an attacker injects malicious JavaScript via the dropdown, the next admin who views the dashboard triggers the payload, and the attacker exfiltrates secrets via the unsecured /api/config endpoint.

Generated by OpenCVE AI on March 27, 2026 at 17:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Anchorr to version 1.4.2 or newer, where the XSS vulnerability and open /api/config endpoint have been fixed.
  • If upgrading is delayed, immediately remove or restrict access to the User Mapping dropdown so that only trusted administrators can edit it.
  • Restrict access to the /api/config endpoint, requiring authentication or removing it entirely from the deployment.
  • Verify that the bot’s administrative dashboard is only accessed over secure HTTPS connections and limit exposure to internal networks when possible.
  • Regularly review and audit the bot’s configuration files and secret storage to detect any unauthorized changes.

Generated by OpenCVE AI on March 27, 2026 at 17:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:discord:anchorr:*:*:*:*:*:*:*:* cpe:2.3:a:openvessl:anchorr:*:*:*:*:*:*:*:*
Vendors & Products Discord
Discord anchorr

Fri, 27 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared Discord
Discord anchorr
CPEs cpe:2.3:a:discord:anchorr:*:*:*:*:*:*:*:*
Vendors & Products Discord
Discord anchorr

Fri, 20 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Openvessl
Openvessl anchorr
Vendors & Products Openvessl
Openvessl anchorr

Fri, 20 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Anchorr is a Discord bot for requesting movies and TV shows and receiving notifications when items are added to a media server. In versions 1.4.1 and below, a stored Cross-site Scripting (XSS) vulnerability in the web dashboard's User Mapping dropdown allows any unprivileged Discord user in the configured guild to execute arbitrary JavaScript in the Anchorr admin's browser. By chaining this with the GET /api/config endpoint (which returns all secrets in plaintext), an attacker can exfiltrate every credential stored in Anchorr which includes DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes without any authentication to Anchorr itself. This issue has been fixed in version 1.4.2.
Title Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config
Weaknesses CWE-200
CWE-79
References
Metrics cvssV3_1

{'score': 9.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Openvessl Anchorr
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T18:08:39.685Z

Reserved: 2026-03-16T21:03:44.422Z

Link: CVE-2026-32890

cve-icon Vulnrichment

Updated: 2026-03-20T16:54:58.814Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T03:16:00.060

Modified: 2026-03-27T16:23:02.673

Link: CVE-2026-32890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T20:26:52Z

Weaknesses