0.71.2
CVE-2026-40348 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in Movary, a self-hosted web application for tracking and rating movies. This flaw allows authenticated users to initiate server-side requests to arbitrary internal targets, potentially exposing sensitive internal resources. The vulnerability impacts versions 0.0.0 up to, but not including, 0.71.1, and a patch is available in version 0.71.1.
The SSRF vulnerability in Movary allows an authenticated user to bypass security controls and make requests to internal services that are otherwise inaccessible from the outside. An attacker could leverage this to probe the internal network, discover internal services, and potentially access sensitive data residing on those services. For example, an attacker could attempt to access internal databases, configuration files, or other administrative interfaces. The blast radius extends to any internal resource accessible via HTTP/HTTPS from the Movary server, posing a significant risk to the confidentiality and integrity of the internal network.
As of the publication date (2026-04-18), this CVE has not been added to the CISA KEV catalog. There are no publicly known exploits or active campaigns targeting this vulnerability. The presence of a public proof-of-concept is currently unknown. Given the SSRF nature of the vulnerability and the ease of exploitation once authenticated, it is prudent to prioritize remediation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-40348 is to immediately upgrade Movary to version 0.71.1 or later, which includes a fix for the SSRF vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting outbound network access from the Movary server using a firewall or web application proxy. Configure the proxy to block requests to internal IP ranges (e.g., 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and loopback addresses (127.0.0.1). After upgrading, verify the fix by attempting to trigger the /settings/jellyfin/server-url-verify endpoint with an internal URL and confirming that the request is blocked.
Update Movary to version 0.71.1 or later to mitigate the SSRF vulnerability. This version fixes the issue by restricting the URLs that the server can access, thus preventing the possibility of making requests to arbitrary internal destinations.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-40348 is a HIGH severity SSRF vulnerability affecting Movary versions 0.0.0 through 0.71.0, allowing authenticated users to trigger server-side requests to internal targets.
You are affected if you are running Movary versions 0.0.0 through 0.71.0. Upgrade to version 0.71.1 or later to mitigate the vulnerability.
Upgrade Movary to version 0.71.1 or later. As a temporary workaround, restrict outbound network access from the Movary server using a firewall or proxy.
As of the publication date, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants prompt remediation.
Refer to the Movary project's official website or GitHub repository for the latest security advisories and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.