CVE-2026-23840

CVE-2026-23840 is a cross-site scripting (XSS) vulnerability in Movary, a self-hosted web application for tracking, rating, and exploring movie watch history. The issue stems from insufficient input validation on the `?categoryDeleted=` parameter, allowing attackers to inject and trigger malicious JavaScript payloads. It affects all versions of Movary prior to 0.70.0 and is associated with CWE-20 (Improper Input Validation) and CWE-79 (Cross-Site Scripting). The vulnerability carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and significant impacts on confidentiality and integrity.

Remote attackers without authentication can exploit this vulnerability by crafting malicious URLs with XSS payloads in the `?categoryDeleted=` parameter and tricking authenticated users into accessing them, such as via phishing links or shared resources. Successful exploitation requires user interaction but enables theft of sensitive data like session cookies, account credentials, or manipulation of the victim's browser context within the Movary application, potentially leading to full account compromise given the scoped impact.

The GitHub security advisory (GHSA-pj3m-gmq8-2r57) and release notes for version 0.70.0 detail the fix, which addresses the input validation flaw in the client-side JavaScript code, specifically around line 204 in `public/js/settings-account-location.js`. Security practitioners should immediately upgrade to Movary 0.70.0 or later and review access logs for suspicious `categoryDeleted` parameters to identify potential exploitation attempts.