CVE-2026-23841 in movary
Summary
by MITRE • 01/19/2026
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/02/2026
The vulnerability identified as CVE-2026-23841 affects Movary, a web application designed for tracking, rating, and exploring movie watch histories. This application serves as a platform where users can manage their personal movie databases and share their viewing experiences. The security flaw manifests in the application's insufficient input validation mechanisms, creating a pathway for malicious actors to inject cross-site scripting payloads. The vulnerability specifically targets the `?categoryCreated=` parameter within the application's URL structure, which processes user-supplied data without adequate sanitization or validation checks.
The technical implementation of this vulnerability stems from the application's failure to properly validate and sanitize input received through the `?categoryCreated=` query parameter. When users provide data through this parameter, the application processes it directly without implementing proper input filtering or encoding mechanisms. This weakness allows attackers to craft malicious payloads that can execute within the context of other users' browsers when they access pages containing the vulnerable parameter. The vulnerability is classified under CWE-79 as Cross-Site Scripting, which represents one of the most prevalent web application security flaws. The flaw enables attackers to execute arbitrary JavaScript code in victims' browsers, potentially leading to session hijacking, credential theft, or other malicious activities.
The operational impact of this vulnerability extends beyond simple data corruption or unauthorized access. When exploited, the XSS flaw can compromise the entire user experience and potentially lead to broader security breaches within the application ecosystem. Users who view pages containing malicious content injected through the vulnerable parameter become unwitting participants in the attack, as their browsers execute the malicious scripts without their knowledge. This creates a persistent threat vector that can be exploited repeatedly, particularly if the application's user base is large or if the vulnerability remains undetected for extended periods. The vulnerability affects all versions prior to 0.70.0, indicating that a significant portion of users may have been exposed to this risk.
The remediation for this vulnerability was implemented in version 0.70.0 of the Movary application, which introduced proper input validation and sanitization mechanisms for the affected parameter. This fix aligns with established security practices recommended by the ATT&CK framework, specifically addressing the mitigation of client-side code injection techniques. Organizations should prioritize updating to version 0.70.0 or later to eliminate this vulnerability. Additional mitigations include implementing proper input validation at multiple layers, including client-side and server-side validation, deploying content security policies to limit script execution, and conducting regular security assessments to identify similar vulnerabilities. The vulnerability demonstrates the critical importance of input validation in web applications and reinforces the need for comprehensive security testing throughout the software development lifecycle.