{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23839", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.842Z", "datePublished": "2026-01-19T18:27:25.541Z", "dateUpdated": "2026-01-20T21:42:05.092Z"}, "containers": {"cna": {"title": "Movary vulnerable to Cross-site Scripting with `?categoryUpdated=` param", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq"}, {"name": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237"}, {"name": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/releases/tag/0.70.0"}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"version": "< 0.70.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:27:25.541Z"}, "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue."}], "source": {"advisory": "GHSA-v32w-5qx7-p3vq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T21:41:56.409232Z", "id": "CVE-2026-23839", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T21:42:05.092Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Movary vulnerable to Cross-site Scripting with `?categoryUpdated=` param", "source": {"advisory": "GHSA-v32w-5qx7-p3vq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"status": "affected", "version": "< 0.70.0"}]}], "references": [{"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq", "name": "https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237", "name": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "name": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:27:25.541Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23839", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T21:41:56.409232Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-01-20T21:42:00.635Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-23839", "state": "PUBLISHED", "dateUpdated": "2026-01-19T18:27:25.541Z", "dateReserved": "2026-01-16T15:46:40.842Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T18:27:25.541Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*", "matchCriteriaId": "97791827-BE81-4574-9CDC-B0033B5ADE68", "versionEndExcluding": "0.70.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue."}], "id": "CVE-2026-23839", "lastModified": "2026-02-03T14:48:00.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T19:16:04.080", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/leepeuker/movary/releases/tag/0.70.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:04:28.754654+00:00", "value": {"mitigation_remediation": ["Upgrade Movary to version 0.70.0 or later, which sanitizes the `categoryUpdated` parameter.", "Configure the application to validate or sanitize input for the `categoryUpdated` query parameter, ensuring only expected values or appropriate encoding before rendering.", "Deploy web application firewall rules or implement Content Security Policy headers to block or mitigate malicious scripts injected via the parameter."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting that enables arbitrary client\u2011side code execution"}, "threat_synthesis": {"affected_systems": "The vulnerable product is Movary developed by leepeuker. All releases older than version 0.70.0 are susceptible. Version 0.70.0 and later include the fix that sanitizes the `categoryUpdated` parameter.", "description_and_impact": "Movary, an application for tracking movie watch history, has an insufficient input validation flaw that permits attackers to inject arbitrary JavaScript through the `?categoryUpdated=` query parameter. When a victim follows a crafted URL, the unsanitized value is rendered in the page, allowing the attacker to execute client\u2011side code. This can lead to theft of session cookies, credential compromise, or phishing attacks, creating a high confidentiality and integrity risk for users. The vulnerability is classified as Cross\u2011Site Scripting (CWE\u201179) and input validation failure (CWE\u201120).", "risk_and_exploitability": "The CVSS score of 9.3 denotes critical severity, yet the EPSS score of <1% suggests that current exploitation likelihood is low. Nevertheless, the attack vector relies on a user visiting a malicious URL, making social engineering or phishing plausible. The vulnerability is not listed in the CISA KEV catalog, but its severe impact warrants prompt remediation. Once the application is upgraded, the exposure is removed."}}}}, "created": "2026-01-20T08:40:33.471621+00:00", "updated": "2026-04-18T05:15:15.974018+00:00", "vendors": ["leepeuker", "leepeuker$PRODUCT$movary"]}