4 matches found
CVE-2026-40349
CVE-2026-40349 affects Movary (self-hosted web app). Before version 0.71.1, an ordinary authenticated user can self-escalate to administrator by submitting isAdmin=true to PUT /settings/users/{userId} for their own user ID. The endpoint is intended for editing a user’s profile but fails to enforc...
CVE-2026-40348 Movary has Authenticated SSRF via Jellyfin Server URL Verification that Allows Internal Network Probing
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through POST /settings/jellyfin/server-url-verify. The endpoint accepts a user-controlled URL, appends...
CVE-2026-23841 Movary vulnerable to Cross-site Scripting with `?categoryCreated=` param
Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is ?categoryCreated=. Version 0.70.0 fixes the issue...
CVE-2025-64116 Movary vulnerable to an open redirect
Movary is a web application to track, rate and explore your movie watch history. Prior to 0.69.0, the login page accepts a redirect parameter without validation, allowing attackers to redirect authenticated users to arbitrary external sites. This vulnerability is fixed in 0.69.0...