📄 Bloomberg Memray Cross Site Scripting

Bloomberg Memray prior to versions 1.19.2 rendered the command line of the tracked process directly into generated HTML reports without escaping, allowing for cross site scripting attacks. CVE-2026-32722 Bloomberg Memray’s Stored XSS via Unescaped Command-Line Metadata Intro I found this issue...

arlbench (=0.1.3), backend-ai-appproxy-coordinator (>=25.13.0 <=26.4.4rc6) +3 more potentially affected by CVE-2026-32722 via memray (>=1.12.0 <=1.17.2)

memray PYPI version =1.12.0, =25.13.0, =25.13.0, =26.2.0, =26.4.4rc6 - feluda-image-vec-rep-resnet =0.1.0 Source cves: CVE-2026-32722 Source advisory: SNYK:PYTHON-MEMRAY-15763582...

arlbench (=0.1.3), backend-ai-appproxy-coordinator (>=25.13.0 <=26.4.4rc6) +3 more potentially affected by CVE-2026-32722 via memray (>=1.12.0 <=1.17.2)

memray PYPI version =1.12.0, =25.13.0, =25.13.0, =26.2.0, =26.4.4rc6 - feluda-image-vec-rep-resnet =0.1.0 Source cves: CVE-2026-32722 Source advisory: OSV:GHSA-R5PR-887V-M2W9...

CVE-2026-32722

creationtimestamp| type| source ---|---|--- 2026-03-13 22:01:26+00:00| published-proof-of-concept| https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9 2026-03-20 09:00:06+00:00| seen| https://bsky.app/profile/concisecyber.bsky.social/post/3mhi5onwafp26...