CVE-2026-32722 is a cross-site scripting (XSS) vulnerability categorized under CWE-79 affecting Bloomberg's Memray, a memory profiling tool for Python applications. The vulnerability exists in Memray versions prior to 1.19.2, where the command line arguments of the tracked process are embedded directly into the generated HTML profiling reports without proper HTML escaping or sanitization. This improper neutralization of input allows an attacker who can control the command line arguments to inject arbitrary JavaScript code into the report. When a user opens the generated HTML report in a web browser, the injected script executes in the context of the report, potentially leading to client-side code execution. The vulnerability requires that the attacker has the ability to influence the command line arguments of the process being profiled, which typically implies local or development environment access. Additionally, the victim must open the maliciously crafted HTML report for the XSS payload to trigger. The vulnerability has a CVSS v3.1 base score of 3.6, reflecting low severity due to limited attack vector (local), low complexity, no privileges required, but requiring user interaction. The scope is changed (S:C) because the vulnerability affects the confidentiality of the user's environment when the report is viewed. No known exploits have been reported in the wild as of the publication date. Bloomberg addressed the issue in Memray version 1.19.2 by implementing proper escaping of command line arguments before embedding them into HTML reports, effectively mitigating the XSS risk.

The primary impact of CVE-2026-32722 is the potential for client-side script execution when a user opens a maliciously crafted Memray HTML report. This could lead to theft of sensitive information accessible in the browser context, session hijacking, or execution of arbitrary scripts within the user's environment. However, exploitation requires that an attacker can control the command line arguments of the process being profiled and that the victim opens the generated report, limiting the attack surface primarily to development or testing environments. For organizations, this vulnerability could lead to exposure of sensitive profiling data or compromise of developer workstations if exploited. While the impact on production systems is minimal, the risk to development pipelines and internal tooling environments is notable. The vulnerability does not affect the integrity or availability of the Memray tool or the profiled applications directly. Given the low CVSS score and lack of known exploits, the immediate risk is low, but organizations should not ignore the potential for targeted attacks in environments where Memray is used.

To mitigate CVE-2026-32722, organizations should upgrade Memray to version 1.19.2 or later, where the vulnerability is fixed by proper escaping of command line arguments in HTML reports. Until upgrading, avoid opening Memray-generated HTML reports from untrusted or unknown sources. Implement strict access controls to limit who can run Memray profiling on systems, reducing the risk of attacker-controlled command line arguments. Incorporate security reviews of profiling reports before sharing or opening them in browsers. Consider sandboxing or isolating environments where Memray reports are viewed to limit potential script execution impact. Educate developers and operations teams about the risk of opening profiling reports from untrusted inputs. Regularly monitor for updates from Bloomberg and apply patches promptly. Additionally, integrate Memray usage into broader application security and development lifecycle controls to detect and prevent injection of malicious inputs into profiling tools.