CVE-2026-40348
Movary contains an authenticated SSRF vulnerability present before version 0.71.1. An ordinary authenticated user can trigger server-side requests by sending a user-controlled URL to POST /settings/jellyfin/server-url-verify, which appends /system/info/public and causes the server to issue a requ...