Plattform
php
Komponente
movary
Behoben in
0.71.2
CVE-2026-40348 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Movary, a self-hosted web application for tracking and rating movies. This flaw allows authenticated users to initiate server-side requests to arbitrary internal targets, potentially exposing sensitive internal resources. The vulnerability impacts versions 0.0.0 up to, but not including, 0.71.1, and a patch is available in version 0.71.1.
The SSRF vulnerability in Movary allows an authenticated user to bypass security controls and make requests to internal resources that are otherwise inaccessible. An attacker could leverage this to scan the internal network for open ports and services, potentially identifying other vulnerable systems. They could also attempt to access sensitive data stored on internal servers, such as configuration files or databases. The impact is amplified if Movary is deployed within a segmented network, as the attacker could potentially pivot to other internal networks. This vulnerability shares similarities with other SSRF exploits where internal services are inadvertently exposed due to insufficient input validation.
CVE-2026-40348 was publicly disclosed on 2026-04-18. No public proof-of-concept (PoC) code has been released at the time of writing, but the SSRF nature of the vulnerability makes it likely that a PoC will emerge. The EPSS score is currently pending evaluation. It is not currently listed on the CISA KEV catalog.
Organizations running Movary in environments with internal services accessible via HTTP/HTTPS are at risk. This includes deployments where Movary is used to manage media libraries and interact with Jellyfin or other internal media servers. Shared hosting environments where multiple users share the same Movary instance are particularly vulnerable, as a compromised user account could be used to exploit the SSRF vulnerability.
• php: Examine Movary application logs for suspicious outbound HTTP requests to internal IP addresses or unusual domains. Use grep to search for patterns related to /settings/jellyfin/server-url-verify and internal URLs.
grep -r '/settings/jellyfin/server-url-verify' /var/log/apache2/access.log• generic web: Monitor web server access logs for requests to the /settings/jellyfin/server-url-verify endpoint originating from authenticated users. Look for unusual User-Agent strings or request headers.
curl -I http://movary.example.com/settings/jellyfin/server-url-verifydisclosure
Exploit-Status
EPSS
0.01% (1% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40348 is to immediately upgrade Movary to version 0.71.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests to the /settings/jellyfin/server-url-verify endpoint or restrict the allowed URL schemes. Additionally, review the Movary configuration to ensure that the Jellyfin server URL is explicitly defined and validated, preventing user-controlled input. Monitor access logs for unusual outbound requests originating from the Movary application.
Aktualisieren Sie Movary auf Version 0.71.1 oder höher, um die SSRF-Vulnerabilität zu beheben. Diese Version behebt das Problem, indem die URLs eingeschränkt werden, auf die der Server zugreifen kann, wodurch die Möglichkeit, Anfragen an beliebige interne Ziele zu senden, verhindert wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40348 is a HIGH severity SSRF vulnerability affecting Movary versions 0.0.0 through 0.71.0, allowing authenticated users to trigger server-side requests to internal targets.
You are affected if you are running Movary versions 0.0.0 through 0.71.0. Upgrade to version 0.71.1 or later to mitigate the vulnerability.
Upgrade Movary to version 0.71.1 or later. As a temporary workaround, restrict outbound network access from the Movary server using a firewall or proxy.
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the Movary project's official website or GitHub repository for the latest security advisories and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.