Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.
Published: 2026-04-18
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑Side Request Forgery enabling internal network probing
Action: Apply latest patch
AI Analysis

Impact

Movary, a self‑hosted web application used for cataloguing watched films, contains an endpoint that accepts user‑supplied URLs, appends a fixed path, and sends a server‑side HTTP request. Before version 0.71.1, any authenticated user could exploit this flaw to make the server request arbitrary internal hosts via the Guzzle client. Because no restriction is applied to the target address, attackers could probe host presence, discover open ports, and fingerprint services running inside the internal network, potentially exposing administrative interfaces or cloud metadata services that are normally inaccessible from outside.

Affected Systems

The vulnerability affects installations of Movary provided by the vendor leepeuker. Any deployment running a version prior to 0.71.1 and where normal users can access the web interface is impacted. The flaw is tied to the Jellyfin server URL verification function, which is present in all affected releases.

Risk and Exploitability

With a CVSS score of 7.7, the vulnerability is classified as High. The EPSS score is not available, and the flaw is not currently listed in the CISA KEV catalog. The attack requires an authenticated user, so an attacker must first obtain legitimate credentials or compromise an account. Once authenticated, they can use the endpoint to conduct internal reconnaissance, such as host discovery, port‑state probing, and service fingerprinting, potentially reaching sensitive internal services. Given the lack of mitigation in the affected versions and the ability to reach otherwise unreachable internal targets, the risk level remains high for exposed or poorly segmented environments.

Generated by OpenCVE AI on April 18, 2026 at 08:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Movary to version 0.71.1 or later, which removes the vulnerable endpoint.
  • If upgrading immediately is infeasible, restrict access to the Jellyfin server URL verification endpoint by configuring the web server to allow only trusted hosts or block the route entirely.
  • Implement firewall rules or use network segmentation to limit outbound HTTP traffic from the Movary application, and monitor logs for suspicious outbound requests.

Generated by OpenCVE AI on April 18, 2026 at 08:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Leepeuker
Leepeuker movary
Vendors & Products Leepeuker
Leepeuker movary

Sat, 18 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Description Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.
Title Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Leepeuker Movary
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-18T00:01:09.725Z

Reserved: 2026-04-10T22:50:01.359Z

Link: CVE-2026-40348

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-18T00:16:38.663

Modified: 2026-04-18T00:16:38.663

Link: CVE-2026-40348

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T08:45:41Z

Weaknesses