{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23841", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-16T15:46:40.842Z", "datePublished": "2026-01-19T18:35:21.866Z", "dateUpdated": "2026-01-20T20:05:55.115Z"}, "containers": {"cna": {"title": "Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param", "problemTypes": [{"descriptions": [{"cweId": "CWE-20", "lang": "en", "description": "CWE-20: Improper Input Validation", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v"}, {"name": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/leepeuker/movary/releases/tag/0.70.0"}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"version": "< 0.70.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:35:21.866Z"}, "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue."}], "source": {"advisory": "GHSA-v877-x568-4v5v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-20T20:02:44.905259Z", "id": "CVE-2026-23841", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:05:55.115Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23841", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-01-20T20:02:44.905259Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-20T20:02:45.928Z"}}], "cna": {"title": "Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param", "source": {"advisory": "GHSA-v877-x568-4v5v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "leepeuker", "product": "movary", "versions": [{"status": "affected", "version": "< 0.70.0"}]}], "references": [{"url": "https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v", "name": "https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "name": "https://github.com/leepeuker/movary/releases/tag/0.70.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-20", "description": "CWE-20: Improper Input Validation"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-19T18:35:21.866Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23841", "state": "PUBLISHED", "dateUpdated": "2026-01-20T20:05:55.115Z", "dateReserved": "2026-01-16T15:46:40.842Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-19T18:35:21.866Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:leepeuker:movary:*:*:*:*:*:*:*:*", "matchCriteriaId": "97791827-BE81-4574-9CDC-B0033B5ADE68", "versionEndExcluding": "0.70.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue."}], "id": "CVE-2026-23841", "lastModified": "2026-02-02T15:17:06.853", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-19T19:16:04.370", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/leepeuker/movary/releases/tag/0.70.0"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/leepeuker/movary/security/advisories/GHSA-v877-x568-4v5v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T05:03:59.062061+00:00", "value": {"mitigation_remediation": ["Upgrade Movary to version 0.70.0 or later, which removes the unsafe handling of the `?categoryCreated=` parameter", "If an upgrade is not immediately possible, implement server\u2011side filtering to ensure that any data supplied through the `categoryCreated` query string is either strictly validated or fully escaped before inclusion in any HTML output", "Deploy Content Security Policy (CSP) headers to restrict the sources from which scripts can be executed, thereby reducing the consequence of any remaining XSS vectors"], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011site Scripting (client\u2011side execution)"}, "threat_synthesis": {"affected_systems": "All installations of the Movary application built by the vendor `leepeuker` and deploying versions earlier than 0.70.0 are affected. The vulnerability is specific to the web interface where the query parameter is processed, and no patched version prior to 0.70.0 is available.", "description_and_impact": "Movary, a web\u2011based film\u2011tracking application, suffers from an unescaped input parameter that allows malicious script code to be executed in a victim\u2019s browser. By adding a carefully crafted query string using the `?categoryCreated=` parameter, an attacker can embed JavaScript that runs with the same privileges as the application page. The resulting impact includes theft of session cookies, impersonation, or arbitrary actions performed on behalf of the user. This vulnerability is classified as CWE\u201179 (Cross\u2011Site Scripting) and also features an input\u2011validation weakness (CWE\u201120).", "risk_and_exploitability": "The CVSS score of 9.3 indicates critical severity, and the EPSS score is reported as less than 1\u202f%. Although the likelihood of exploitation in the wild is low, the vulnerability is publicly disclosed and has no current official exploitation reports, and it is not listed in the CISA KEV catalog. Attackers would need only to craft a URL containing the malicious payload and induce a user to visit it, making the exploit trivial when the target is exposed to web traffic. The solution is straightforward and delivered by the vendor in a new release."}}}}, "created": "2026-01-20T08:40:14.802974+00:00", "updated": "2026-04-18T05:15:15.973253+00:00", "vendors": ["leepeuker", "leepeuker$PRODUCT$movary"]}