CVE-2026-23839

9.3 CRITICAL
Published: January 19, 2026 Modified: February 03, 2026
View on NVD

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237
Source: security-advisories@github.com
Product
https://github.com/leepeuker/movary/releases/tag/0.70.0
Source: security-advisories@github.com
Release Notes
https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq
Source: security-advisories@github.com
Exploit Vendor Advisory

3 reference(s) from NVD

Quick Stats

CVSS v3 Score
9.3 / 10.0
EPSS (Exploit Probability)
0.1%
32th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-20 CWE-79

Affected Vendors

leepeuker

Related CVEs

CVE-2026-4302 7.2
CVE-2026-32899 4.3
CVE-2026-32898 5.4
CVE-2026-32897 3.7
CVE-2026-32896 4.8