Anchorr is a Discord bot designed to facilitate media requests and notifications by integrating with media servers and request managers like Jellyfin and Jellyseerr. Versions 1.4.1 and earlier contain a stored cross-site scripting (XSS) vulnerability (CWE-80) in the Jellyseerr user selector component. This vulnerability allows any authenticated user to inject malicious JavaScript code that executes in the context of the Anchorr admin's browser session. The injected script exploits the authenticated /api/config endpoint, which returns the entire application configuration in plaintext, including sensitive API keys and tokens such as JELLYFIN_API_KEY, JELLYSEERR_API_KEY, and DISCORD_TOKEN. With these credentials, an attacker can forge a valid admin session token, bypassing authentication without needing the admin password, and gain full administrative access to the Anchorr dashboard. This access allows complete control over the bot and connected services, leading to potential media server takeover and manipulation of request management and Discord bot operations. The vulnerability also involves improper handling of sensitive data (CWE-212) and exposure of sensitive information via an insecure channel (CWE-311). The issue was publicly disclosed on March 20, 2026, and fixed in version 1.4.2. The CVSS v3.1 base score of 9.1 reflects the vulnerability's critical nature, with network attack vector, low attack complexity, requiring low privileges but some user interaction, and scope change due to compromise of multiple components.

The impact of CVE-2026-32891 is severe for organizations using Anchorr versions prior to 1.4.2. Successful exploitation results in full administrative control over the Anchorr dashboard, enabling attackers to manipulate media requests, notifications, and bot behavior. More critically, attackers gain access to API keys and tokens for integrated services, allowing simultaneous takeover of the Jellyfin media server, Jellyseerr request manager, and the Discord bot. This can lead to unauthorized data access, media content manipulation or deletion, disruption of media services, and potential lateral movement within the victim's network if these services are interconnected. The exposure of sensitive tokens also risks further compromise of associated Discord servers and user accounts. Given the integration with popular media management tools and Discord, the threat extends beyond a single application, potentially affecting user privacy, service availability, and organizational reputation. Although no known exploits are reported in the wild yet, the critical severity and ease of exploitation make this vulnerability a high priority for patching.

Organizations should immediately upgrade Anchorr to version 1.4.2 or later to remediate this vulnerability. Until the upgrade is applied, restrict access to the Anchorr admin dashboard to trusted users and networks to minimize exposure. Implement Content Security Policy (CSP) headers to reduce the impact of potential XSS attacks by restricting script execution sources. Review and rotate all API keys and tokens exposed by the vulnerability, including those for Jellyfin, Jellyseerr, and Discord integrations, to invalidate any potentially compromised credentials. Conduct a thorough audit of logs and system activity to detect any signs of exploitation or unauthorized access. Educate users about the risks of injecting untrusted input and enforce strict input validation and sanitization in custom integrations. Additionally, consider isolating the Anchorr service and its integrations within segmented network zones to limit lateral movement in case of compromise. Monitor official vendor channels for any further updates or patches and apply them promptly.