CVE-2026-32722 in memray
Summary
by MITRE • 03/19/2026
Memray is a memory profiler for Python. Prior to Memray 1.19.2, Memray rendered the command line of the tracked process directly into generated HTML reports without escaping. Because there was no escaping, attacker-controlled command line arguments were inserted as raw HTML into the generated report. This allowed JavaScript execution when a victim opened the generated report in a browser. Version 1.19.2 fixes the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 03/24/2026
The vulnerability CVE-2026-32722 affects Memray, a memory profiling tool for Python applications, specifically impacting versions prior to 1.19.2. This security flaw represents a classic cross-site scripting vulnerability that arises from improper input sanitization during HTML report generation. The issue stems from the tool's failure to properly escape command line arguments before incorporating them into HTML output, creating a dangerous condition where user-supplied input can be rendered directly into web content without adequate security measures.
The technical implementation of this vulnerability occurs within Memray's HTML report generation functionality where command line parameters are directly embedded into the output document without proper HTML escaping or sanitization. When Memray processes a Python application and generates profiling reports, it captures the command line used to invoke the target process and inserts this information directly into the HTML structure. This design flaw allows malicious command line arguments containing HTML or JavaScript code to be executed when the report is viewed in a web browser, as the browser interprets the embedded code as legitimate content rather than user input.
The operational impact of this vulnerability extends beyond simple code execution, creating a potential attack vector for remote code execution through browser-based exploitation. An attacker who can influence the command line arguments passed to Memray could craft malicious inputs that, when rendered in the HTML report, execute arbitrary JavaScript code in the context of the victim's browser session. This vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and represents a serious concern for security-conscious organizations that rely on Memray for application profiling. The attack surface becomes particularly dangerous when considering that profiling tools are often used in development environments where multiple developers may contribute to command line inputs.
The remediation implemented in Memray version 1.19.2 addresses this issue through proper input sanitization and HTML escaping mechanisms. The fix ensures that command line arguments are properly encoded before being inserted into HTML reports, preventing malicious content from being executed when the reports are viewed. This approach follows established security practices for preventing XSS vulnerabilities and aligns with ATT&CK technique T1203, which covers exploitation for execution through web-based attacks. Organizations using Memray should immediately upgrade to version 1.19.2 or later to mitigate this risk, particularly in environments where profiling reports may be shared or accessed by unauthorized parties. The vulnerability demonstrates the importance of input validation and output encoding in security-critical applications, especially those that generate web content from potentially untrusted data sources.
This vulnerability serves as a reminder of the critical importance of proper input sanitization in security tools and applications that generate user-facing content. The flaw represents a fundamental security oversight in how command line arguments are handled within the HTML rendering process, highlighting the need for comprehensive security testing and validation of all data processing pipelines. The attack vector through HTML report generation underscores the necessity of treating all user-supplied inputs as potentially malicious, particularly in tools that are frequently used in development and testing environments where security controls may be less stringent.