CVE-2026-23839 identifies a critical security vulnerability in the leepeuker Movary web application, specifically versions prior to 0.70.0. Movary is designed to help users track, rate, and explore their movie watch history. The vulnerability stems from improper input validation (CWE-20) of the `?categoryUpdated=` URL parameter, which allows attackers to inject malicious JavaScript code, resulting in a cross-site scripting (XSS) attack (CWE-79). This flaw enables an attacker to craft a URL containing a malicious payload that, when visited by a user, executes arbitrary scripts within the context of the victim’s browser session. The vulnerability does not require authentication (PR:N) but does require user interaction (UI:R), such as clicking a malicious link. The CVSS v3.1 score of 9.3 reflects a critical severity due to the network attack vector (AV:N), low attack complexity (AC:L), and the potential for complete confidentiality and integrity compromise (C:H/I:H), although availability is not impacted (A:N). The vulnerability affects all Movary versions before 0.70.0, and while no public exploits have been observed, the risk remains high due to the ease of exploitation and potential impact. The issue was publicly disclosed on January 19, 2026, and fixed in version 0.70.0. No official patch links were provided in the source data, but upgrading to the fixed version is the primary remediation. The vulnerability could be leveraged to steal session cookies, perform actions on behalf of users, or redirect users to malicious sites, posing significant risks to user data and application integrity.

For European organizations using Movary, this vulnerability could lead to significant data breaches involving user credentials, session hijacking, and unauthorized actions performed on behalf of users. Confidentiality is severely impacted as attackers can steal sensitive information stored or accessible via the application. Integrity is also compromised since attackers can manipulate the user interface or data presented to users. Although availability is unaffected, the trustworthiness of the application is undermined, potentially damaging organizational reputation. Organizations in sectors such as media, entertainment, and technology that rely on Movary for user engagement or data analytics are particularly at risk. The exploitation requires user interaction, which may limit automated mass exploitation but still poses a high risk through phishing or social engineering campaigns. The lack of known exploits in the wild suggests a window of opportunity for defenders to patch systems before widespread attacks occur. Failure to address this vulnerability could result in regulatory penalties under GDPR if personal data is compromised.

1. Immediately upgrade all Movary instances to version 0.70.0 or later, where the vulnerability is fixed. 2. Implement strict input validation and output encoding on all user-supplied data, especially URL parameters like `categoryUpdated`, to prevent injection of malicious scripts. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce the impact of potential XSS attacks. 4. Conduct regular security audits and penetration testing focusing on input validation and XSS vectors within the application. 5. Educate users and administrators about phishing risks and the dangers of clicking untrusted links that may exploit this vulnerability. 6. Monitor web server and application logs for unusual requests containing suspicious payloads targeting the vulnerable parameter. 7. If upgrading immediately is not feasible, consider implementing web application firewall (WAF) rules to detect and block malicious input patterns targeting the `categoryUpdated` parameter. 8. Review session management practices to ensure that session tokens are protected via HttpOnly and Secure flags to mitigate session hijacking risks.