CVE-2026-23841 identifies a critical security vulnerability in the leepeuker Movary web application, a platform used for tracking and rating movie watch histories. The vulnerability is due to improper input validation (CWE-20) of the 'categoryCreated' URL parameter, which allows attackers to inject malicious JavaScript code, leading to a cross-site scripting (CWE-79) attack. This XSS flaw enables attackers to execute arbitrary scripts in the context of the victim's browser when they interact with a crafted URL containing the malicious payload. The vulnerability affects all versions prior to 0.70.0, with the fix introduced in version 0.70.0. The CVSS 3.1 base score is 9.3, indicating a critical severity level. The vector details (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N) show that the attack is network exploitable with low attack complexity, requires no privileges, but does require user interaction, and can result in a complete compromise of confidentiality and integrity with no impact on availability. Although no exploits have been observed in the wild, the vulnerability's characteristics make it a high-risk issue. Attackers could leverage this vulnerability to steal session cookies, perform actions on behalf of users, or deliver further malware payloads. The vulnerability's scope is broad as it affects any deployment of Movary versions before 0.70.0 that expose the vulnerable parameter. The fix involves proper input validation and sanitization of the 'categoryCreated' parameter to prevent script injection.

For European organizations, the impact of this vulnerability can be significant, especially for those using Movary to manage movie watch histories or related media tracking services. Successful exploitation can lead to theft of sensitive user data, including session tokens and personal information, potentially enabling account takeover. This can damage user trust and lead to reputational harm. In environments where Movary is integrated with other internal systems or user authentication mechanisms, the integrity of those systems could also be compromised. Additionally, attackers could use the XSS vulnerability as a pivot point for further attacks, such as phishing or malware distribution, increasing the risk of broader network compromise. The critical CVSS score reflects the high potential for damage and ease of exploitation, emphasizing the urgency for European entities to address this issue promptly. The impact is heightened in sectors with strict data protection regulations like GDPR, where data breaches can result in substantial fines and legal consequences.

European organizations should immediately upgrade all affected Movary instances to version 0.70.0 or later, where the vulnerability is patched. In addition to patching, implement strict input validation and output encoding on all user-supplied data, especially URL parameters such as 'categoryCreated'. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Conduct thorough security testing, including automated scanning and manual code reviews, to detect similar input validation issues. Educate users about the risks of clicking on suspicious links and encourage cautious behavior to reduce the likelihood of successful social engineering attacks. Monitor web application logs for unusual requests targeting the vulnerable parameter and set up alerts for potential exploitation attempts. Consider deploying Web Application Firewalls (WAFs) with rules to detect and block XSS payloads targeting Movary. Finally, maintain an incident response plan to quickly address any exploitation events.