CVE-2026-23839

CriticalPublic PoC

Published: 19 January 2026

Published

19 January 2026

Modified

03 February 2026

KEV Added

—

Patch

—

CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

EPSS Score 0.0011 29.2th percentile

Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly addresses the root cause of insufficient input validation in the `?categoryUpdated=` parameter, preventing XSS payload injection.

SI-15 Information Output Filtering good match

prevent

SI-15 enforces output filtering to encode or sanitize reflected inputs, blocking XSS payload execution in the browser.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely flaw remediation by patching to version 0.70.0 or later, eliminating the specific XSS vulnerability.

Security SummaryAI

CVE-2026-23839 is a cross-site scripting (XSS) vulnerability in Movary, a self-hosted web application for tracking, rating, and exploring movie watch history. The issue stems from insufficient input validation (CWE-20) in the `?categoryUpdated=` parameter, allowing attackers to inject and trigger arbitrary JavaScript payloads. It affects all versions of Movary prior to 0.70.0 and has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for high confidentiality and integrity impacts in a scoped context (CWE-79).

Remote attackers without authentication can exploit this vulnerability by crafting malicious URLs or inputs that include XSS payloads in the `?categoryUpdated=` parameter. Exploitation requires user interaction, such as a victim clicking a specially crafted link or visiting a malicious page while logged into a vulnerable Movary instance. Successful attacks enable theft of sensitive user data, such as session cookies or personal watch history, session hijacking, or unauthorized modifications to the application's client-side state.

The Movary project addressed the vulnerability in version 0.70.0, which includes a fix for input validation. Security practitioners should upgrade to this version or later. Official advisories and code details are available in the GitHub security advisory (GHSA-v32w-5qx7-p3vq), the release notes for v0.70.0, and the affected JavaScript file at public/js/settings-account-location.js line 237.

Details

CWE(s): CWE-20 CWE-79

Affected Products

leepeuker

movary

≤ 0.70.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1539 Steal Web Session Cookie Credential Access

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.

attack.mitre.org →

Why these techniques?

XSS vulnerability in public-facing self-hosted web app enables exploitation of public-facing application (T1190) and facilitates theft of session cookies via arbitrary JS execution (T1539).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237
Product · security-advisories@github.com
https://github.com/leepeuker/movary/releases/tag/0.70.0
Release Notes · security-advisories@github.com
https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq
Exploit, Vendor Advisory · security-advisories@github.com