Anchorr is a Discord bot designed to facilitate media requests and notifications for movies and TV shows. Versions 1.4.1 and earlier contain a stored Cross-site Scripting (XSS) vulnerability (CWE-79) in the web dashboard's User Mapping dropdown. This flaw permits any unprivileged Discord user within the configured guild to inject and execute arbitrary JavaScript code in the browser session of an Anchorr administrator. The attack vector involves injecting malicious scripts that execute when the admin interacts with the vulnerable dropdown. The attacker can then leverage the GET /api/config endpoint, which returns all stored secrets in plaintext without requiring authentication, to exfiltrate highly sensitive information such as DISCORD_TOKEN, JELLYFIN_API_KEY, JELLYSEERR_API_KEY, JWT_SECRET, WEBHOOK_SECRET, and bcrypt password hashes. This combination of XSS and unauthorized API access leads to a complete compromise of the Anchorr instance's confidentiality, integrity, and availability. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation) and CWE-200 (Exposure of Sensitive Information). The issue was publicly disclosed on March 20, 2026, with a critical CVSS 3.1 score of 9.7, reflecting its severe impact and ease of exploitation. The vendor addressed the vulnerability in version 1.4.2 by sanitizing inputs and restricting access to sensitive endpoints.

The impact of CVE-2026-32890 is severe for organizations using Anchorr as part of their media server management and Discord integration. Exploitation allows attackers to execute arbitrary JavaScript in the context of an admin's browser, leading to full credential theft without requiring any authentication to the Anchorr backend. This compromises all stored secrets, including Discord tokens and API keys, which can be used to further escalate privileges, manipulate media servers, or pivot to other connected systems. The exposure of bcrypt password hashes also risks offline password cracking attempts. The vulnerability undermines the confidentiality, integrity, and availability of the Anchorr service and any connected infrastructure. Organizations may face unauthorized access, data leakage, service disruption, and potential lateral movement within their networks. Given the critical nature and the ease of exploitation by any guild member, the threat is significant for any entity relying on Anchorr for media management and Discord bot functionality.

To mitigate this vulnerability, organizations should immediately upgrade Anchorr to version 1.4.2 or later, which contains the necessary input sanitization and access control fixes. Until the upgrade is applied, restrict access to the Anchorr web dashboard strictly to trusted administrators and minimize the number of users in the configured Discord guild who can interact with the bot. Implement network-level controls to limit access to the API endpoints, especially the GET /api/config endpoint, to authorized personnel only. Monitor Discord guild activity for suspicious behavior, particularly unexpected script injections or unusual admin browser activity. Employ Content Security Policy (CSP) headers on the Anchorr dashboard to reduce the impact of potential XSS attacks. Regularly audit and rotate all exposed credentials, including Discord tokens and API keys, after patching the vulnerability. Finally, educate administrators about the risks of interacting with untrusted content within the dashboard interface.