CVE-2026-23840

Severity CVSS v4.0:

Pending analysis

Type:

CWE-20 Input Validation

Publication date:

19/01/2026

Last modified:

19/01/2026

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.

Impact

Vector 3.x

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N CVSS v3.1 Severity and Metrics:

Base Score: 9.30 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): Required
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): None

Base Score 3.x

9.30

Severity 3.x

CRITICAL

References to Advisories, Solutions, and Tools

https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204
https://github.com/leepeuker/movary/releases/tag/0.70.0
https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57