Plattform
other
Komponente
movary
Behoben in
0.70.1
CVE-2026-23841 describes a Cross-Site Scripting (XSS) vulnerability affecting Movary, a web application for tracking and rating movies. This vulnerability allows attackers to inject malicious scripts into the application, potentially leading to data theft and session hijacking. The issue impacts versions of Movary prior to 0.70.0, and a patch has been released in version 0.70.0.
The XSS vulnerability in Movary arises from insufficient input validation within the ?categoryCreated= parameter. An attacker can craft a malicious URL containing a JavaScript payload and trick a user into clicking it. Upon visiting the crafted URL, the injected script executes within the user's browser context, with the same privileges as the Movary application. This allows the attacker to steal cookies, redirect the user to a phishing site, or deface the application. The potential impact extends to all users of the vulnerable application, particularly those who interact with the ?categoryCreated= parameter.
CVE-2026-23841 was publicly disclosed on 2026-01-19. No public proof-of-concept (PoC) code has been identified at the time of writing, but the vulnerability's nature makes it likely that PoCs will emerge. The CVSS score of 9.3 (CRITICAL) indicates a high probability of exploitation if the vulnerability is exposed. It is not currently listed on CISA KEV.
Users of Movary versions prior to 0.70.0 are at risk, particularly those who frequently interact with the application's category creation features. Shared hosting environments where multiple users share the same Movary instance are also at increased risk, as a compromise of one user could potentially affect others.
disclosure
Exploit-Status
EPSS
0.15% (36% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-23841 is to upgrade Movary to version 0.70.0 or later, which includes the necessary input validation fixes. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious JavaScript code in the ?categoryCreated= parameter. Additionally, carefully review any custom code or plugins integrated with Movary to ensure they do not introduce similar vulnerabilities. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the ?categoryCreated= parameter and verifying that it is properly sanitized.
Aktualisieren Sie Movary auf Version 0.70.0 oder höher. Diese Version enthält die Korrektur für die Cross-site Scripting-Vulnerabilität. Das Update kann über die von der Software bereitgestellten Update-Kanäle durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23841 is a critical XSS vulnerability in Movary versions before 0.70.0, allowing attackers to inject malicious scripts via the ?categoryCreated= parameter.
Yes, if you are using Movary version 0.70.0 or earlier, you are vulnerable to this XSS attack.
Upgrade Movary to version 0.70.0 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.
While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.
Refer to the Movary project's official website or repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.