CVE-2026-32891 — AI Deep Analysis Summary

🚨 **Essence**: Anchorr v1.4.1 has a Stored XSS flaw in the Jellyseerr user selector. 📉 **Consequences**: Attackers can inject malicious scripts.…

🛡️ **Root Cause**: **CWE-80** (Improper Neutralization of Input During Web Page Generation). The flaw lies in how the **Jellyseerr user selector** handles and renders user input without proper sanitization.

👥 **Affected**: **Anchorr** Discord Bot by **openVESSL**. Specifically versions **1.4.1 and earlier**. If you are running v1.4.1 or older, you are at risk.

💀 **Hacker Capabilities**: With Stored XSS, hackers can execute arbitrary JavaScript in victims' browsers.…

🔓 **Exploitation Threshold**: **Medium**. Requires **PR:L** (Low Privileges) and **UI:R** (User Interaction). The attacker needs to trick a user into interacting with the malicious payload in the user selector.

🚫 **Public Exploit**: **No**. The `pocs` field is empty. While advisory links exist, there is no confirmed public Proof-of-Concept (PoC) or wild exploitation code available yet.

🔍 **Self-Check**: Inspect the **Jellyseerr user selector** feature in your Anchorr bot. Look for any input fields that render user names or IDs without escaping.…

✅ **Official Fix**: **Yes**. The vulnerability is fixed in **Anchorr v1.4.2**. Check the GitHub release notes for the patch details. Upgrade immediately to the latest version.

🛑 **No Patch Workaround**: If you cannot upgrade, **disable** the Jellyseerr integration or restrict access to the user selector feature. Manually sanitize any user inputs if you have custom code access.…

⚡ **Urgency**: **HIGH**. CVSS Score indicates **High** impact (C:H, I:H, A:H). Since it leads to Account Takeover, prioritize patching to v1.4.2 immediately to prevent potential ATO incidents.