CVE-2026-23840 CRITICAL

CVE-2026-23840: Movary vulnerable to Cross-site Scripting with `?categoryDeleted=` param

Vendor Leepeuker

Product movary

Weakness CWE-20 · Input validation

Published January 19, 2026

Last update January 20, 2026

View on NVD All CVEs

CVSS base score

9.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction Required

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

What the vulnerability does

01Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.

Key dates

02Disclosure timeline

January 19, 2026 CVE published

January 20, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-23840 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/20.html

Related vulnerabilities

04Related CVE

CVE-2025-8414 Zigbee Green Power Host Buffer Overflow Vulnerability CVE-2023-21607 Adobe Acrobat Reader Improper Input Validation Remote Code Execution Vulnerability CVE-2021-1462 Cisco SD-WAN vManage Software Privilege Escalation Vulnerability CVE-2019-1689 Cisco Webex Teams for iOS Arbitrary File Upload Vulnerability CVE-2026-45556 Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`