Cyber Posture

CVE-2026-23841

CriticalPublic PoC

Published: 19 January 2026

Published
19 January 2026
Modified
02 February 2026
KEV Added
Patch
CVSS Score 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0013 32.2th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of untrusted inputs like the categoryCreated URL parameter to block XSS payloads from being processed.

SI-15 Information Output Filtering good match
prevent

Mandates filtering or encoding of outputs to prevent reflected XSS payloads from executing in the victim's browser.

SI-2 Flaw Remediation good match
prevent

Requires timely remediation of identified flaws, such as patching to version 0.70.0 which fixes the input validation issue.

Security SummaryAI

CVE-2026-23841 is a cross-site scripting (XSS) vulnerability stemming from insufficient input validation (CWE-20, CWE-79) in the Movary web application, which allows users to track, rate, and explore their movie watch history. The issue affects all versions of Movary prior to 0.70.0 and is triggered via the `?categoryCreated=` URL parameter. It has a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating high severity due to its network accessibility, low attack complexity, lack of required privileges, and potential for high confidentiality and integrity impacts with a changed scope.

Attackers can exploit this vulnerability remotely over the network without authentication by crafting malicious links containing XSS payloads in the `?categoryCreated=` parameter. Exploitation requires user interaction, such as a victim clicking the link or visiting a malicious site while authenticated to a vulnerable Movary instance. Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser, potentially stealing sensitive data like session cookies or watch history (C:H), modifying application state or content (I:H), with no direct availability impact.

The Movary project addresses this vulnerability in version 0.70.0, which includes fixes for the input validation flaw. Security practitioners should upgrade to this version immediately, as detailed in the project's release notes at https://github.com/leepeuker/movary/releases/tag/0.70.0 and the GitHub Security Advisory at https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v. No workarounds are specified beyond patching.

Details

CWE(s)
CWE-20CWE-79

Affected Products

leepeuker
movary
≤ 0.70.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1566.002 Spearphishing Link Initial Access
Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems.
attack.mitre.org →
T1555.003 Credentials from Web Browsers Credential Access
Adversaries may acquire credentials from web browsers by reading files specific to the target browser.
attack.mitre.org →
T1539 Steal Web Session Cookie Credential Access
An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials.
attack.mitre.org →
Why these techniques?

XSS vulnerability in public-facing web app exploited via malicious links (spearphishing), enabling arbitrary JS execution to steal browser credentials and web session cookies.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References