{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-32722",
"tracking": {
"current_release_date": "2026-03-26T06:11:15.425886Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-32722",
"initial_release_date": "2026-03-16T17:45:18.183182Z",
"revision_history": [
{
"date": "2026-03-16T17:45:18.183182Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)."
},
{
"date": "2026-03-16T17:45:31.887587Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-18T21:38:51.965260Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-18T21:38:56.387275Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-18T22:24:41.762130Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-18T22:24:45.551488Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-19T12:44:06.656412Z",
"number": "7",
"summary": "Source created.| CVE status created. (valid)| Description created for source."
},
{
"date": "2026-03-19T12:44:17.359077Z",
"number": "8",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-19T15:31:19.868246Z",
"number": "9",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (4).| CWES updated (1)."
},
{
"date": "2026-03-19T21:08:59.562731Z",
"number": "10",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-20T09:29:39.546319Z",
"number": "11",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-20T09:29:42.386723Z",
"number": "12",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T18:16:37.319719Z",
"number": "13",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (3).| CWES updated (1).| Unknown change."
},
{
"date": "2026-03-20T18:16:39.933246Z",
"number": "14",
"summary": "Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-03-20T18:16:42.667880Z",
"number": "15",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-20T19:56:04.626111Z",
"number": "16",
"summary": "References created (1)."
},
{
"date": "2026-03-23T05:16:27.920758Z",
"number": "17",
"summary": "References removed (1)."
},
{
"date": "2026-03-24T20:56:52.963132Z",
"number": "18",
"summary": "References created (1)."
},
{
"date": "2026-03-24T20:56:56.699381Z",
"number": "19",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "19"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<1.19.2",
"product": {
"name": "vers:unknown/<1.19.2",
"product_id": "CSAFPID-5845480",
"product_identification_helper": {
"cpe": "cpe:2.3:a:bloomberg:memray:*:*:*:*:*:python:*:*"
}
}
}
],
"category": "product_name",
"name": "memray"
}
],
"category": "vendor",
"name": "bloomberg"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-32722",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
},
"notes": [
{
"category": "description",
"text": "## Summary\n\nPrior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report.\n\nThis allowed JavaScript execution when a victim opened the generated report in a browser.\n\n## Affected Version\n\n- Memray version: `1.19.1` and earlier\n\n## Remediation\n\nUpgrade to Memray 1.19.2, and avoid attaching Memray to untrusted processes until you have upgraded.\n\n## Root Cause\n\nJinja is used to embed the process's command line arguments into the generated flame graph or table report. Memray has not been telling Jinja to HTML escape the command line arguments when writing them into the HTML, leading to a stored XSS vulnerability.\n\n## Impact\n\nAn attacker who can influence the script name or command-line arguments of a profiled program can inject HTML/JavaScript into Memray-generated HTML reports (both `memray flamegraph` and `memray table` reports, both with and without `--no-web`). When a victim opens the generated report in a browser, the injected JavaScript executes in the context of the report.\n\nNote that in the case of `memray attach`, the user attaching Memray and generating the report may be a different user than the one who ran the command and set up the command line arguments.\n\n## Proof of Concept\n\nRun Memray on a script with an attacker-controlled filename:\n\n```bash\ntouch '
'\npython -m memray run -o poc.bin ''\n```\n\nGenerate a report:\n\n```bash\npython -m memray flamegraph -o poc.html poc.bin\n```\n\n## Observed Result\n\nThe generated HTML contains raw unescaped attacker-controlled HTML.\n\nOpening or reloading the generated report in a browser triggers JavaScript execution.",
"title": "github - https://github.com/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "description",
"text": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.",
"title": "cveprojectv5 - https://www.cve.org/CVERecord?id=CVE-2026-32722"
},
{
"category": "description",
"text": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.",
"title": "nvd - https://nvd.nist.gov/vuln/detail/CVE-2026-32722"
},
{
"category": "description",
"text": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.",
"title": "debian - https://security-tracker.debian.org/tracker/CVE-2026-32722"
},
{
"category": "description",
"text": "## Summary\n\nPrior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report.\n\nThis allowed JavaScript execution when a victim opened the generated report in a browser.\n\n## Affected Version\n\n- Memray version: `1.19.1` and earlier\n\n## Remediation\n\nUpgrade to Memray 1.19.2, and avoid attaching Memray to untrusted processes until you have upgraded.\n\n## Root Cause\n\nJinja is used to embed the process's command line arguments into the generated flame graph or table report. Memray has not been telling Jinja to HTML escape the command line arguments when writing them into the HTML, leading to a stored XSS vulnerability.\n\n## Impact\n\nAn attacker who can influence the script name or command-line arguments of a profiled program can inject HTML/JavaScript into Memray-generated HTML reports (both `memray flamegraph` and `memray table` reports, both with and without `--no-web`). When a victim opens the generated report in a browser, the injected JavaScript executes in the context of the report.\n\nNote that in the case of `memray attach`, the user attaching Memray and generating the report may be a different user than the one who ran the command and set up the command line arguments.\n\n## Proof of Concept\n\nRun Memray on a script with an attacker-controlled filename:\n\n```bash\ntouch ''\npython -m memray run -o poc.bin ''\n```\n\nGenerate a report:\n\n```bash\npython -m memray flamegraph -o poc.html poc.bin\n```\n\n## Observed Result\n\nThe generated HTML contains raw unescaped attacker-controlled HTML.\n\nOpening or reloading the generated report in a browser triggers JavaScript execution.",
"title": "github - https://api.github.com/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "description",
"text": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32722"
},
{
"category": "description",
"text": "Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32722.json"
},
{
"category": "other",
"text": "0.00018",
"title": "EPSS"
},
{
"category": "other",
"text": "4.0",
"title": "NCSC Score"
},
{
"category": "other",
"text": "Exploit code publicly available, The value of the most recent CVSS (V3) score, There is exploit data available from source Nvd",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5845480"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://github.com/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "external",
"summary": "Source raw - github",
"url": "https://api.github.com/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32722"
},
{
"category": "external",
"summary": "Source raw - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32722.json"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32722"
},
{
"category": "external",
"summary": "Source raw - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32722"
},
{
"category": "external",
"summary": "Source - debian",
"url": "https://security-tracker.debian.org/tracker/CVE-2026-32722"
},
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-32722"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/32xxx/CVE-2026-32722.json"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/bloomberg/memray/releases/tag/v1.19.2"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-r5pr-887v-m2w9"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32722"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N",
"baseScore": 3.6,
"baseSeverity": "LOW"
},
"products": [
"CSAFPID-5845480"
]
}
],
"title": "CVE-2026-32722"
}
]
}