{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23840", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.842Z", "datePublished": "2026-01-19T18:32:50.229Z", "dateUpdated": "2026-01-20T17:30:24.315Z"}, "containers": {"cna": {"title": "Movary vulnerable to Cross-site Scripting with `?categoryDeleted=` param", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57"}, {"name": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204"}, {"name": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/releases/tag/0.70.0"}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"version": "< 0.70.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:32:50.229Z"}, "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue."}], "source": {"advisory": "GHSA-pj3m-gmq8-2r57", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T17:30:07.401662Z", "id": "CVE-2026-23840", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T17:30:24.315Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23840", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T17:30:07.401662Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T17:30:15.565Z"}}], "cna": {"title": "Movary vulnerable to Cross-site Scripting with `?categoryDeleted=` param", "source": {"advisory": "GHSA-pj3m-gmq8-2r57", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"status": "affected", "version": "< 0.70.0"}]}], "references": [{"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57", "name": "https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204", "name": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "name": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:32:50.229Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23840", "state": "PUBLISHED", "dateUpdated": "2026-01-20T17:30:24.315Z", "dateReserved": "2026-01-16T15:46:40.842Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T18:32:50.229Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*", "matchCriteriaId": "97791827-BE81-4574-9CDC-B0033B5ADE68", "versionEndExcluding": "0.70.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue."}], "id": "CVE-2026-23840", "lastModified": "2026-02-03T14:47:15.050", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T19:16:04.227", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204"}, {"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/leepeuker/movary/releases/tag/0.70.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T15:50:43.818987+00:00", "value": {"mitigation_remediation": ["Upgrade the Movary installation to version 0.70.0 or later to remove the unsanitized query parameter usage.", "Apply server\u2011side input validation to reject non\u2011numeric values or script content in the 'categoryDeleted' query parameter.", "Deploy a web application firewall rule that blocks requests containing suspicious scripts in the query string for the 'categoryDeleted' parameter."], "summary": {"action": "Immediate Patch", "impact": "Cross\u2011Site Scripting enabling arbitrary script execution in the victim\u2019s browser"}, "threat_synthesis": {"affected_systems": "The affected vendor is Lee Peuker, product Movary. All releases prior to version 0.70.0 are vulnerable; the fix was released in 0.70.0 and later versions are believed to be immune.", "description_and_impact": "Insufficient input validation in the Movary web application allows an attacker to embed malicious scripts via the query parameter '?categoryDeleted=' in HTTP requests. This flaw permits the execution of arbitrary JavaScript in the context of the target user\u2019s browser, Open\u2011Source CPElist indicates CWE-79 cross\u2011site scripting through user input handling. A compromised session can lead to credential theft, session hijacking, phishing, or defacement of user data, with integrity and confidentiality at risk. The vulnerability is reported with a CVSS score of 9.3, indicating a high likelihood of exploitation and severe impact.", "risk_and_exploitability": "The low EPSS (<1%) suggests a very small probability of widespread use, yet the high CVSS reflects the potential for severe damage if an attacker crafts a malicious URL or injects a payload in the categoryDeleted parameter. The attack vector is inferred to be a reflected or stored client\u2011side XSS, requiring no authentication; a malicious link can compromise any user who visits the target URL. The vulnerability is not listed in the CISA KEV catalog at this time, but the severity warrants any organization deploying Movary to act promptly."}}}}, "created": "2026-01-20T08:40:18.828289+00:00", "updated": "2026-04-18T16:00:04.283295+00:00", "vendors": ["leepeuker", "leepeuker$PRODUCT$movary"]}