#1131372 - python-memray: CVE-2026-32722 - Debian Bug report logs (original) (raw)

version graph

Reported by: Salvatore Bonaccorso carnil@debian.org

Date: Fri, 20 Mar 2026 16:44:01 UTC

Severity: important

Tags: security, upstream

Found in version python-memray/1.17.0+dfsg-1

Fixed in version python-memray/1.19.3+dfsg-1

Done: Colin Watson cjwatson@debian.org

Reply or subscribe to this bug.

Display info messages

Report forwardedto debian-bugs-dist@lists.debian.org, carnil@debian.org, debian security team <team@security.debian.org> (additional cc recipient for {1131372}), Debian Python Team <team+python@tracker.debian.org> (src:python-memray for {1131372}):
Bug#1131372; Package src:python-memray. (Fri, 20 Mar 2026 16:44:02 GMT) (full text, mbox, link).

Acknowledgement sentto Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team+python@tracker.debian.org. (Fri, 20 Mar 2026 16:44:02 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

Source: python-memray Version: 1.17.0+dfsg-1 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team team@security.debian.org

Hi,

The following vulnerability was published for python-memray.

CVE-2026-32722[0]: | Memray is a memory profiler for Python. Prior to Memray 1.19.2, | Memray rendered the command line of the tracked process directly | into generated HTML reports without escaping. Because there was no | escaping, attacker-controlled command line arguments were inserted | as raw HTML into the generated report. This allowed JavaScript | execution when a victim opened the generated report in a browser. | Version 1.19.2 fixes the issue.

If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-32722 https://www.cve.org/CVERecord?id=CVE-2026-32722 [1] https://github.com/bloomberg/memray/security/advisories/GHSA-r5pr-887v-m2w9 [2] https://github.com/bloomberg/memray/commit/ba6e4e2e9930f9641bed7adfdf43c8e2545ce249

Please adjust the affected versions in the BTS as needed.

Regards, Salvatore

Reply sentto Colin Watson <cjwatson@debian.org>:
You have taken responsibility. (Thu, 28 May 2026 17:27:02 GMT) (full text, mbox, link).

Notification sentto Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Thu, 28 May 2026 17:27:02 GMT) (full text, mbox, link).

Message #10 received at 1131372-close@bugs.debian.org (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Source: python-memray Source-Version: 1.19.3+dfsg-1 Done: Colin Watson cjwatson@debian.org

We believe that the bug you reported is fixed in the latest version of python-memray, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1131372@bugs.debian.org, and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Colin Watson cjwatson@debian.org (supplier of updated python-memray package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Thu, 28 May 2026 13:56:00 +0100 Source: python-memray Architecture: source Version: 1.19.3+dfsg-1 Distribution: unstable Urgency: medium Maintainer: Debian Python Team team+python@tracker.debian.org Changed-By: Colin Watson cjwatson@debian.org Closes: 1131372 Changes: python-memray (1.19.3+dfsg-1) unstable; urgency=medium .

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAmoYO9gACgkQOTWH2X2G UAtFXRAAmKeF3gxwjOaPJFVrE96B0+FLmNQ82qcm8knzI2FvYltA7o+InwnWx09f MPB3SVX4rqHvB46zcWbAowytE7N3XQulXMr5MtApHWjKF/+TGfX/o5Xqj1LpGA2k j5SRhzvHjdrk5NP/yyQu86r3W+fGnal+jKEmtlev6lMFStjMQTUXBSyMG7zrth2N hGm1y17J8v+crushOUVZZkaji2YaqBjypM5fe4cBi06G1NcQEdU31xNYNikEiHOe zJwZ79Ge1jZ6O1Be+1241zfvpiqDkiRXJRsY7ml47cAt4I2u2VBpSF5xFfdrZBto ShGABTHVzZAi0ARKVgDRQaZgYZOatcVMu4epjRCGRpAbibKXW1NC3X+MAKo5I6HF pGNVekt8AAEj885EFpevBF5BVZZOJ1Z9YBy6d5vtp8xi9ISJhMK5YoPpV5Jeg/vj esnZ5bACiqsK6TXWHwEhoSwgXA5U9suxFL2wBSsBW4Gi9XJBggM8XA8nYqSw8K3U QCv3v97p8iUihmjZdv1gnz0c1mhI1uY1HoR1Vg1mXwZAPz23gwTwfrrq8tgEmf6O ShKOn3EKarLe0/t4Pj/icTAQe6svPCG3vdUgYdFHnN2iQzR2ob7qfQbTRNYoVnQ2 SuH8+vD8JsPHQdqQOpomji9cxxU+REwU2hm+wdY5XuZFMP2Q/+M= =PsJV -----END PGP SIGNATURE-----

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified:Thu Jun 18 07:55:09 2026; Machine Name:berlioz

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.