Description
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.
Published: 2026-01-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting that enables arbitrary client‑side code execution
Action: Immediate Patch
AI Analysis

Impact

Movary, an application for tracking movie watch history, has an insufficient input validation flaw that permits attackers to inject arbitrary JavaScript through the `?categoryUpdated=` query parameter. When a victim follows a crafted URL, the unsanitized value is rendered in the page, allowing the attacker to execute client‑side code. This can lead to theft of session cookies, credential compromise, or phishing attacks, creating a high confidentiality and integrity risk for users. The vulnerability is classified as Cross‑Site Scripting (CWE‑79) and input validation failure (CWE‑20).

Affected Systems

The vulnerable product is Movary developed by leepeuker. All releases older than version 0.70.0 are susceptible. Version 0.70.0 and later include the fix that sanitizes the `categoryUpdated` parameter.

Risk and Exploitability

The CVSS score of 9.3 denotes critical severity, yet the EPSS score of <1% suggests that current exploitation likelihood is low. Nevertheless, the attack vector relies on a user visiting a malicious URL, making social engineering or phishing plausible. The vulnerability is not listed in the CISA KEV catalog, but its severe impact warrants prompt remediation. Once the application is upgraded, the exposure is removed.

Generated by OpenCVE AI on April 18, 2026 at 05:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Movary to version 0.70.0 or later, which sanitizes the `categoryUpdated` parameter.
  • Configure the application to validate or sanitize input for the `categoryUpdated` query parameter, ensuring only expected values or appropriate encoding before rendering.
  • Deploy web application firewall rules or implement Content Security Policy headers to block or mitigate malicious scripts injected via the parameter.

Generated by OpenCVE AI on April 18, 2026 at 05:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Leepeuker
Leepeuker movary
Vendors & Products Leepeuker
Leepeuker movary

Mon, 19 Jan 2026 18:45:00 +0000

Type Values Removed Values Added
Description Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.
Title Movary vulnerable to Cross-site Scripting with `?categoryUpdated=` param
Weaknesses CWE-20
CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Leepeuker Movary
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T21:42:05.092Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23839

cve-icon Vulnrichment

Updated: 2026-01-20T21:42:00.635Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T19:16:04.080

Modified: 2026-02-03T14:48:00.613

Link: CVE-2026-23839

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses