AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-r5pr-887v-m2w9: Stored XSS in Memray-generated HTML reports via unescaped command-line metadata

lowvulnerability

security

Source: GitHub Advisory DatabaseMarch 16, 2026CVE-2026-32722

Summary

Memray versions 1.19.1 and earlier had a stored XSS vulnerability (a type of attack where malicious code is permanently stored and executed when viewed) in their HTML reports because command-line arguments were inserted directly into the HTML without escaping (converting special characters so they display as text rather than code). An attacker who could control a program's script name or command-line arguments could inject JavaScript that would execute when someone opened the generated report in a browser.

Solution / Mitigation

Upgrade to Memray 1.19.2, and avoid attaching Memray to untrusted processes until you have upgraded.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 16, 2026

Classification

Attack SophisticationTrivial

Impact (CIA+S)

integrity

Affected Packages

memray@< 1.19.2 (fixed: 1.19.2)

Original source: https://github.com/advisories/GHSA-r5pr-887v-m2w9

First tracked: March 16, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%