Description
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.
Published: 2026-01-19
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting enabling arbitrary script execution in the victim’s browser
Action: Immediate Patch
AI Analysis

Impact

Insufficient input validation in the Movary web application allows an attacker to embed malicious scripts via the query parameter '?categoryDeleted=' in HTTP requests. This flaw permits the execution of arbitrary JavaScript in the context of the target user’s browser, Open‑Source CPElist indicates CWE-79 cross‑site scripting through user input handling. A compromised session can lead to credential theft, session hijacking, phishing, or defacement of user data, with integrity and confidentiality at risk. The vulnerability is reported with a CVSS score of 9.3, indicating a high likelihood of exploitation and severe impact.

Affected Systems

The affected vendor is Lee Peuker, product Movary. All releases prior to version 0.70.0 are vulnerable; the fix was released in 0.70.0 and later versions are believed to be immune.

Risk and Exploitability

The low EPSS (<1%) suggests a very small probability of widespread use, yet the high CVSS reflects the potential for severe damage if an attacker crafts a malicious URL or injects a payload in the categoryDeleted parameter. The attack vector is inferred to be a reflected or stored client‑side XSS, requiring no authentication; a malicious link can compromise any user who visits the target URL. The vulnerability is not listed in the CISA KEV catalog at this time, but the severity warrants any organization deploying Movary to act promptly.

Generated by OpenCVE AI on April 18, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Movary installation to version 0.70.0 or later to remove the unsanitized query parameter usage.
  • Apply server‑side input validation to reject non‑numeric values or script content in the 'categoryDeleted' query parameter.
  • Deploy a web application firewall rule that blocks requests containing suspicious scripts in the query string for the 'categoryDeleted' parameter.

Generated by OpenCVE AI on April 18, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 03 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*

Tue, 20 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 20 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Leepeuker
Leepeuker movary
Vendors & Products Leepeuker
Leepeuker movary

Mon, 19 Jan 2026 19:00:00 +0000

Type Values Removed Values Added
Description Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.
Title Movary vulnerable to Cross-site Scripting with `?categoryDeleted=` param
Weaknesses CWE-20
CWE-79
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

Leepeuker Movary
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-01-20T17:30:24.315Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23840

cve-icon Vulnrichment

Updated: 2026-01-20T17:30:15.565Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-19T19:16:04.227

Modified: 2026-02-03T14:47:15.050

Link: CVE-2026-23840

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T16:00:04Z

Weaknesses