2 matches found
CVE-2026-40350
creationtimestamp| type| source ---|---|--- 2026-04-18 02:53:29+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mjqgpszxnk2k 2026-04-18 03:16:44+00:00| published-proof-of-concept| Telegram/uiCSDEnb8aQmWF7FrTZmjJQGi4eEk-7sLrqhzwnkCLApk...
CVE-2026-40350 Movary User Management (/settings/users) has Authorization Bypass that Allows Low-Privileged Users to Enumerate All Users and Create Administrator Accounts
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints /settings/users and use them to enumerate all users and create a new administrator account. This happens because the route...