Vibe Security Radar
Back to Vulnerabilities

CVE-2026-32890

openvessl/anchorr
Mar 20, 2026CWE-200CWE-79
JavaScript
Verified by gpt-5.4-high
Severity
CRITICAL9.7
Verdict
CONFIRMED
0.8 confidence
AI Tool
Claude CodeClaude Code
Language
JavaScript

Anchorr: Stored XSS in User Mapping dropdown allows unprivileged Discord users to exfiltrate all secrets via /api/config

How AI Introduced This

Yes. AI-authored commit 403ccf079be0ee5e6660f0ed2fa64174d76eff2f (Claude Code) directly introduced the vulnerable Discord user-mapping dropdown by rendering Discord-controlled member fields with `innerHTML` in `web/script.js`. A separate earlier non-AI dashboard commit exposed raw configuration secrets to browser-side JavaScript, which made that AI-authored XSS sink capable of exfiltrating secrets via `/api/config`.

Attribution Chain
Advisory
OSV
Fix Commit
d5ae67e— openvessl/anchorr
git blame
jellyfinWebhook.js, web/script.js
Bug-Introducing Commit
8690a9f
Advisory
OSV
Fix Commit
d5ae67e— openvessl/anchorr
git blame
web/script.js
Bug-Introducing Commit
403ccf0
Bug-Introducing Commits(2)
8690a9fAI

Implement Jellyfin API Polling System with per-library channel routing

nairdahhNov 23, 2025jellyfinWebhook.js, web/script.jsBlame: 60%
403ccf0AI

Add Logs viewer page with connection status indicators

nairdahhNov 21, 2025web/script.jsBlame: 37%

Deep Verification

by investigator-override
CONFIRMED0.8
0 tool calls
80%

Yes. AI-authored commit 403ccf079be0ee5e6660f0ed2fa64174d76eff2f (Claude Code) directly introduced the vulnerable Discord user-mapping dropdown by rendering Discord-controlled member fields with `innerHTML` in `web/script.js`. A separate earlier non-AI dashboard commit exposed raw configuration secrets to browser-side JavaScript, which made that AI-authored XSS sink capable of exfiltrating secrets via `/api/config`.

AI Signals(3)
Commit8690a9f
Claude CodeCo-author trailerCo-Authored-By: Claude <noreply@anthropic.com>95%
Commit403ccf0
Claude CodeCo-author trailerCo-Authored-By: Claude <noreply@anthropic.com>95%
Claude CodeCommit message keywordGenerated with Claude Code95%
Fix Commits(2)
d5ae67eopenvessl/anchorrOSV
64bc627openvessl/anchorrOSV
References(4)