プラットフォーム
other
コンポーネント
movary
修正版
0.70.1
CVE-2026-23839 describes a critical Cross-Site Scripting (XSS) vulnerability affecting Movary, a web application designed for tracking and rating movies. This flaw allows attackers to inject malicious scripts into the application, potentially leading to account takeover and data theft. The vulnerability impacts versions of Movary prior to 0.70.0, and a patch has been released in version 0.70.0.
The XSS vulnerability in Movary arises from insufficient input validation when processing the ?categoryUpdated= parameter. An attacker can craft a malicious URL containing a JavaScript payload and entice a user to click on it. Upon clicking, the injected script executes within the user's browser context, allowing the attacker to steal cookies, session tokens, or redirect the user to a phishing site. This could result in unauthorized access to the user's Movary account and potentially other systems if the user reuses credentials. The impact is particularly severe as Movary handles sensitive user data, including movie preferences and ratings.
This vulnerability was publicly disclosed on 2026-01-19. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it a likely target for opportunistic attackers. The CVSS score of 9.3 (CRITICAL) reflects the high severity and potential impact of this vulnerability. It is not currently listed on CISA KEV.
Users of Movary versions prior to 0.70.0 are at risk, particularly those who rely on the application to manage sensitive movie data or who share their Movary accounts. Shared hosting environments where multiple users share the same Movary instance are also at increased risk, as a compromise of one user's account could potentially expose others.
disclosure
エクスプロイト状況
EPSS
0.13% (32% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-23839 is to immediately upgrade Movary to version 0.70.0 or later, which includes the necessary input validation fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious characters or patterns in the ?categoryUpdated= parameter. Additionally, carefully review any custom code or plugins integrated with Movary to ensure they do not introduce similar vulnerabilities. Regularly scan the application for XSS vulnerabilities using automated tools.
Movary を 0.70.0 以降のバージョンにアップデートしてください。このバージョンにはクロスサイトスクリプティング (Cross-site Scripting) の脆弱性に対する修正が含まれています。最新バージョンを公式サイトからダウンロードするか、アプリケーションに組み込まれているアップデートメカニズムを使用してアップデートできます。
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-23839 is a critical XSS vulnerability in Movary versions before 0.70.0, allowing attackers to inject malicious scripts via the ?categoryUpdated= parameter.
Yes, if you are using Movary version 0.70.0 or earlier, you are vulnerable to this XSS attack. Upgrade immediately.
Upgrade Movary to version 0.70.0 or later to patch the vulnerability. Consider a WAF as a temporary mitigation if upgrading is not immediately possible.
While no active exploitation has been confirmed, the ease of exploitation makes it a likely target, and proactive mitigation is recommended.
Refer to the Movary project's official website or GitHub repository for the latest security advisories and release notes.