CVE-2026-23841 - Vulnerability Details

- Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.

Published: 2026-01-19

Score: 9.3 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Movary, a web‑based film‑tracking application, suffers from an unescaped input parameter that allows malicious script code to be executed in a victim’s browser. By adding a carefully crafted query string using the `?categoryCreated=` parameter, an attacker can embed JavaScript that runs with the same privileges as the application page. The resulting impact includes theft of session cookies, impersonation, or arbitrary actions performed on behalf of the user. This vulnerability is classified as CWE‑79 (Cross‑Site Scripting) and also features an input‑validation weakness (CWE‑20).

Affected Systems

All installations of the Movary application built by the vendor `leepeuker` and deploying versions earlier than 0.70.0 are affected. The vulnerability is specific to the web interface where the query parameter is processed, and no patched version prior to 0.70.0 is available.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity, and the EPSS score is reported as less than 1 %. Although the likelihood of exploitation in the wild is low, the vulnerability is publicly disclosed and has no current official exploitation reports, and it is not listed in the CISA KEV catalog. Attackers would need only to craft a URL containing the malicious payload and induce a user to visit it, making the exploit trivial when the target is exposed to web traffic. The solution is straightforward and delivered by the vendor in a new release.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

leepeuker

movary

affected

Version	Status	Constraints
`< 0.70.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*

No data.

Vendor	Product	Confidence	Versions
Leepeuker	Movary	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Movary to version 0.70.0 or later, which removes the unsafe handling of the `?categoryCreated=` parameter
If an upgrade is not immediately possible, implement server‑side filtering to ensure that any data supplied through the `categoryCreated` query string is either strictly validated or fully escaped before inclusion in any HTML output
Deploy Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, thereby reducing the consequence of any remaining XSS vectors

Generated by OpenCVE AI on April 18, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00131.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/leepeuker/movary/releases/tag/0.70.0
https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v

History

Mon, 02 Feb 2026 15:30:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:leepeuker:movary::::::::

Tue, 20 Jan 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 20 Jan 2026 08:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Leepeuker Leepeuker movary
Vendors & Products		Leepeuker Leepeuker movary

Mon, 19 Jan 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.
Title		Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param
Weaknesses		CWE-20 CWE-79
References		https://github.com/leepeuker/movary/releases/tag/0.70.0 https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v
Metrics		cvssV3_1 `{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N'}`

Subscriptions

Leepeuker Movary

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-01-19T18:35:21.866Z

Updated: 2026-01-20T20:05:55.115Z

Reserved: 2026-01-16T15:46:40.842Z

Link: CVE-2026-23841

Vulnrichment

Updated: 2026-01-20T20:02:45.928Z

NVD

Status : Analyzed

Published: 2026-01-19T19:16:04.370

Modified: 2026-02-02T15:17:06.853

Link: CVE-2026-23841

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-18T05:15:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction Required

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object