Platform
javascript
Component
movary
Fixed in
0.70.1
CVE-2026-23840 describes a critical Cross-Site Scripting (XSS) vulnerability affecting Movary, a web application designed for tracking and rating movies. This flaw allows attackers to inject malicious scripts into the application, potentially leading to session hijacking and data theft. The vulnerability impacts versions of Movary prior to 0.70.0, and a patch has been released in version 0.70.0.
The XSS vulnerability in Movary arises from insufficient input validation when handling the ?categoryDeleted= parameter. An attacker can craft a malicious URL containing a JavaScript payload and, when a user clicks on this link, the script will execute within the context of their browser session. This allows the attacker to steal cookies, redirect the user to a phishing site, or deface the application. The impact is significant, as successful exploitation could compromise user accounts and potentially expose sensitive movie tracking data. Given the nature of XSS, the blast radius extends to all users who interact with the vulnerable parameter, regardless of their role or privileges within the application.
CVE-2026-23840 was publicly disclosed on 2026-01-19. No known public proof-of-concept (PoC) exploits are currently available, but the ease of exploitation inherent in XSS vulnerabilities suggests that one may emerge. The vulnerability is not currently listed on CISA KEV. Given the CRITICAL CVSS score and the potential for widespread impact, organizations using Movary should prioritize patching.
Exploit Status
EPSS
0.13% (32% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-23840 is to immediately upgrade Movary to version 0.70.0 or later, which includes the necessary input validation fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious characters or patterns in the ?categoryDeleted= parameter. Additionally, carefully review and sanitize any user-supplied input within the application to prevent similar vulnerabilities from arising in the future. After upgrading, confirm the fix by attempting to inject a simple JavaScript payload into the ?categoryDeleted= parameter and verifying that it is properly sanitized and does not execute.
Update Movary to version 0.70.0 or higher. This version corrects the Cross-site Scripting (XSS) vulnerability by properly validating the `categoryDeleted` parameter input. The update will prevent attackers from executing malicious scripts in your browser.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23840 is a critical Cross-Site Scripting (XSS) vulnerability in Movary versions prior to 0.70.0, allowing attackers to inject malicious scripts.
You are affected if you are using Movary version 0.70.0 or earlier. Upgrade to 0.70.0 to mitigate the risk.
Upgrade Movary to version 0.70.0 or later. Consider a WAF rule to filter suspicious requests as a temporary measure.
There are no confirmed reports of active exploitation at this time, but the vulnerability's severity warrants immediate attention.
Refer to the Movary project's official website or GitHub repository for the latest security advisories and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.