Vulnerability Description
Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bloomberg | Memray | < 1.19.2 |
Related Weaknesses (CWE)
References
- https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545cePatch
- https://github.com/bloomberg/memray/releases/tag/v1.19.2ProductRelease Notes
- https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9ExploitVendor Advisory
FAQ
What is CVE-2026-32722?
CVE-2026-32722 is a vulnerability with a CVSS score of 3.6 (LOW). Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no esca...
How severe is CVE-2026-32722?
CVE-2026-32722 has been rated LOW with a CVSS base score of 3.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-32722?
Check the references section above for vendor advisories and patch information. Affected products include: Bloomberg Memray.