CRITICALCVE-2026-23841CVSS 9.3

CVE-2026-23841: XSS in Movary Movie Tracker Application

Q: What is CVE-2026-23841 — Cross-Site Scripting (XSS) in Movary?

CVE-2026-23841 is a critical XSS vulnerability in Movary versions before 0.70.0, allowing attackers to inject malicious scripts via the ?categoryCreated= parameter.

Q: Am I affected by CVE-2026-23841 in Movary?

Yes, if you are using Movary version 0.70.0 or earlier, you are vulnerable to this XSS attack.

Q: How do I fix CVE-2026-23841 in Movary?

Upgrade Movary to version 0.70.0 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation.

Q: Is CVE-2026-23841 being actively exploited?

While no public exploits are currently known, the ease of exploitation suggests a potential for active exploitation.

Q: Where can I find the official Movary advisory for CVE-2026-23841?

Refer to the Movary project's official website or repository for the latest security advisories and updates.

Platform

other

Component

movary

Fixed in

0.70.1

AI Confidence: highNVDEPSS 0.2%Reviewed: May 2026

View on NVD

Save

CVE-2026-23841 describes a Cross-Site Scripting (XSS) vulnerability affecting Movary, a web application designed for tracking and rating movies. This flaw allows attackers to inject malicious scripts into the application, potentially compromising user accounts and data. The vulnerability impacts versions of Movary prior to 0.70.0, and a fix is available in version 0.70.0.

Impact and Attack Scenarios

The impact of this XSS vulnerability is significant. An attacker could leverage the ?categoryCreated= parameter to inject arbitrary JavaScript code into the Movary application. This code could then be executed in the context of a victim's browser, allowing the attacker to steal session cookies, redirect users to malicious websites, or deface the application. Successful exploitation could lead to account takeover, data theft, and further compromise of the user's system. The scope of impact extends to all users who interact with the vulnerable parameter, potentially affecting a wide range of Movary users.

Exploitation Context

This vulnerability was publicly disclosed on 2026-01-19. No public proof-of-concept exploits have been identified at the time of writing, but the ease of exploitation inherent in XSS vulnerabilities suggests a potential for rapid exploitation. The CVSS score of 9.3 (CRITICAL) reflects the high severity of this vulnerability.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

0.15% (36% percentile)

CISA SSVC

Exploitationnone

Automatableno

Technical Impacttotal

CVSS Vector

Affected Software

Componentmovary

Vendorleepeuker

Affected rangeFixed in

< 0.70.0 – < 0.70.00.70.1

Weakness Classification (CWE)

CWE-20 CWE-79

Timeline

Reserved2026-01-16
Published2026-01-19
Modified2026-01-20
EPSS updated2026-03-23

Mitigation and Workarounds

The primary mitigation for CVE-2026-23841 is to upgrade Movary to version 0.70.0 or later, which includes the necessary input validation fixes. If immediate upgrading is not possible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious input in the ?categoryCreated= parameter. Carefully review and sanitize any user-supplied input before rendering it in the application. Monitor application logs for unusual activity or attempts to inject scripts.

How to fix

Update Movary to version 0.70.0 or higher. This version contains the fix for the Cross-site Scripting (XSS) vulnerability. The update can be performed through the software's provided update channels.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-23841 — Cross-Site Scripting (XSS) in Movary?