Anchorr is a Discord bot designed to facilitate media requests and notifications for movies and TV shows. Versions 1.4.1 and earlier contain a stored Cross-site Scripting (XSS) vulnerability (CWE-79) in the web dashboard's User Mapping dropdown. This flaw allows any unprivileged Discord user within the configured guild to inject and execute arbitrary JavaScript code in the browser of an Anchorr administrator viewing the dashboard. The vulnerability is particularly severe because it can be chained with an unauthenticated API endpoint, GET /api/config, which returns all sensitive credentials in plaintext, including the Discord bot token, Jellyfin and Jellyseerr API keys, JWT secret, webhook secret, and bcrypt password hashes. Exploiting this chain enables attackers to fully compromise the Anchorr instance without needing direct authentication. The vulnerability affects the confidentiality, integrity, and availability of the system and its data. The vendor has addressed the issue in version 1.4.2 by sanitizing inputs and securing the API endpoint. No known exploits have been reported in the wild as of the publication date.

The impact of CVE-2026-32890 is critical for organizations using Anchorr versions prior to 1.4.2. Successful exploitation allows attackers to execute arbitrary JavaScript in the admin's browser, leading to credential theft and full compromise of the bot's secrets. This can result in unauthorized access to the Discord bot account, media server APIs, and potentially other connected services. The attacker can manipulate or disrupt media server operations, impersonate the bot, and escalate privileges within the Discord guild. The exposure of JWT secrets and password hashes further increases the risk of lateral movement and persistent access. The vulnerability undermines confidentiality, integrity, and availability, potentially causing significant operational disruption and data breaches. Organizations relying on Anchorr for media management and notifications are at risk of service interruption and data compromise.

1. Immediately upgrade Anchorr to version 1.4.2 or later, where the vulnerability is patched. 2. Restrict access to the Anchorr web dashboard to trusted administrators only, ideally limiting it via network controls or VPN. 3. Implement Content Security Policy (CSP) headers on the Anchorr web interface to mitigate the impact of potential XSS attacks. 4. Regularly audit and rotate all secrets stored in Anchorr, including Discord tokens, API keys, JWT secrets, and webhook secrets, especially if running vulnerable versions. 5. Monitor Discord guild activity and Anchorr logs for suspicious behavior indicative of exploitation attempts. 6. Educate administrators about the risks of clicking untrusted links or interacting with untrusted Discord users while logged into the Anchorr dashboard. 7. Consider isolating Anchorr instances in segmented environments to limit blast radius in case of compromise.