CVE-2026-32722 is a cross-site scripting (CWE-79) vulnerability found in Bloomberg's Memray, a memory profiling tool for Python applications. The vulnerability exists in versions of Memray prior to 1.19.2, where the tool renders the command line arguments of the profiled process directly into the generated HTML report without proper escaping or sanitization. Because the command line arguments can be attacker-controlled, malicious input can be injected as raw HTML and JavaScript into the report. When a user opens this report in a web browser, the embedded script executes in the context of the report, potentially exposing sensitive information or performing unauthorized actions within the user's browser session. The vulnerability has a CVSS 3.1 base score of 3.6, reflecting low severity primarily due to the requirement for local access to generate or receive the malicious report and the need for user interaction to open it. The scope is considered changed (S:C) because the vulnerability affects the confidentiality of information within the report context. The flaw does not impact the integrity or availability of the system running Memray. Bloomberg addressed this issue in Memray version 1.19.2 by implementing proper escaping of command line arguments before rendering them into HTML. No known exploits are reported in the wild as of the publication date. This vulnerability highlights the risks of improper input neutralization in developer tools that generate HTML outputs, which can be leveraged for XSS attacks if untrusted input is included without sanitization.

The primary impact of this vulnerability is the potential compromise of confidentiality when a user opens a maliciously crafted Memray report in a web browser. An attacker who can control the command line arguments of a profiled process can inject JavaScript into the report, which executes in the victim's browser context. This could lead to theft of sensitive information displayed in the report or exploitation of the user's browser session. However, the vulnerability does not affect system integrity or availability, and exploitation requires local or trusted access to generate or receive the malicious report, as well as user interaction to open it. The risk is therefore limited to environments where untrusted or attacker-controlled command line inputs are profiled and reports are shared without validation. Organizations using Memray in development, testing, or production profiling workflows may face risks if they open reports generated from untrusted sources. The vulnerability could be leveraged in targeted attacks against developers or analysts who routinely open profiling reports, potentially exposing internal data or credentials. Overall, the impact is low but non-negligible in sensitive environments.

To mitigate this vulnerability, organizations should immediately upgrade Memray to version 1.19.2 or later, where the issue is fixed by proper escaping of command line arguments in HTML reports. Until the upgrade is applied, users should avoid opening Memray-generated HTML reports from untrusted or unknown sources. Implement strict access controls to limit who can run Memray profiling on systems and who can generate or view reports. Incorporate security awareness training to inform developers and analysts about the risks of opening untrusted reports. Consider scanning or sanitizing command line inputs before profiling if possible. Additionally, use browser security features such as Content Security Policy (CSP) to restrict script execution in local HTML files, reducing the impact of potential XSS payloads. Monitor internal usage of Memray reports and audit for any suspicious activity or unexpected report generation. Finally, maintain an inventory of tools and versions used in development environments to ensure timely patching of vulnerabilities.