CVE-2026-23839 identifies a critical security vulnerability in the leepeuker Movary web application, specifically versions before 0.70.0. Movary is designed to help users track, rate, and explore their movie watch history. The vulnerability stems from improper input validation (CWE-20) of the URL parameter `?categoryUpdated=`, which allows attackers to inject malicious JavaScript code, resulting in a cross-site scripting (XSS) attack (CWE-79). This XSS flaw can be exploited remotely without any authentication (AV:N/PR:N), requiring only that a victim user interacts with a crafted URL or malicious content containing the payload (UI:R). The vulnerability affects the confidentiality and integrity of user data, as attackers can steal session cookies, perform actions on behalf of users, or manipulate displayed content. The CVSS v3.1 base score is 9.3, reflecting critical severity due to the ease of exploitation, lack of required privileges, and the potential for widespread impact. Although no public exploits have been reported yet, the vulnerability is publicly disclosed and patched in Movary version 0.70.0. The vulnerability's scope is 'changed' (S:C), meaning exploitation can affect resources beyond the initially vulnerable component, such as user sessions and data. The lack of availability impact (A:N) indicates the attack does not disrupt service but compromises security. The vulnerability is categorized under CWE-20 (Improper Input Validation) and CWE-79 (Cross-site Scripting), highlighting the root cause and attack vector. The patch for this vulnerability involves proper input validation and sanitization of the `categoryUpdated` parameter to neutralize malicious script injections.

For European organizations using Movary, this vulnerability poses a significant risk to user data confidentiality and integrity. Attackers exploiting this XSS flaw can hijack user sessions, steal sensitive information, or perform unauthorized actions within the application context. This can lead to privacy breaches, reputational damage, and potential regulatory non-compliance under GDPR due to exposure of personal data. Although the vulnerability does not affect system availability, the ability to manipulate user sessions and data can disrupt normal operations and trust in the platform. Organizations in media, entertainment, or any sector using Movary for user engagement are particularly vulnerable. The critical CVSS score underscores the urgency of addressing this issue to prevent exploitation. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread attacks occur.

1. Immediate upgrade to Movary version 0.70.0 or later, where the vulnerability is patched. 2. Implement strict input validation and output encoding on all user-supplied data, especially URL parameters like `categoryUpdated`. 3. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts and reduce XSS impact. 4. Conduct regular security audits and code reviews focusing on input handling and sanitization. 5. Educate users about the risks of clicking on suspicious links and encourage cautious behavior. 6. Monitor application logs for unusual activities or attempts to exploit the `categoryUpdated` parameter. 7. If upgrading immediately is not feasible, consider temporary web application firewall (WAF) rules to block or sanitize requests containing suspicious payloads targeting this parameter. 8. Ensure session management uses secure, HttpOnly cookies to limit the impact of stolen session tokens. 9. Maintain an incident response plan to quickly address any detected exploitation attempts.