CVE-2026-32722: Stored XSS in Memray-generated HTML reports via unescaped command-line metadata

March 16, 2026

Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report.

This allowed JavaScript execution when a victim opened the generated report in a browser.

References

github.com/advisories/GHSA-r5pr-887v-m2w9
github.com/bloomberg/memray
github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249
github.com/bloomberg/memray/releases/tag/v1.19.2
github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9
nvd.nist.gov/vuln/detail/CVE-2026-32722

Code Behaviors & Features

Detect and mitigate CVE-2026-32722 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →