CVE-2026-23839

Published: Jan 19, 2026Modified: Feb 3, 2026

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.

Affected (1)

Products: Leepeuker: Movary

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Leepeuker Movary	Before 0.70.0

Related CWEs

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (3)

https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237

Source: security-advisories@github.com

Product

https://github.com/leepeuker/movary/releases/tag/0.70.0

Source: security-advisories@github.com

Release Notes

https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq

Source: security-advisories@github.com

ExploitVendor Advisory

Timeline

No history available yet.