A critical stored XSS vulnerability in Anchorr’s Jellyseerr integration allows attackers to forge administrative session tokens and gain full control over the bot and all linked media services.

Malicious JavaScript can be injected via the Jellyseerr user selector. When an administrator views the dashboard, the script executes, calls the authenticated /api/config endpoint, and exfiltrates session tokens and API keys. This allows an attacker with a Jellyseerr account to escalate to full administrator status.

This vulnerability results in a total compromise of the Anchorr ecosystem. By hijacking an admin session, attackers gain access to the dashboard and all integrated services, including Jellyfin, Jellyseerr, and Discord. The exposure of API keys allows for simultaneous account takeovers across multiple platforms, leading to extensive data exposure and unauthorized infrastructure control. The CVSS score of 9.0 underscores the high severity.

Immediate Action: Update Anchorr to version 1.4.2 immediately to remediate the XSS flaw and secure the administrative configuration data.

Proactive Monitoring: Audit Jellyseerr user accounts for suspicious names or profiles and monitor Anchorr admin logs for session activity originating from unexpected IP addresses.

Compensating Controls: Implement a Web Application Firewall (WAF) to detect and block XSS payloads and restrict access to the Anchorr dashboard to a management VPN.

Public Exploit Available: false

Applying the 1.4.2 update is the only effective way to mitigate this risk. Given that this vulnerability allows for administrative session forgery, administrators should also invalidate all current sessions and rotate all API keys for integrated services (Discord, Jellyfin, Jellyseerr) immediately after patching.