CVE-2026-40348: CWE-918: Server-Side Request Forgery (SSRF) in leepeuker movary
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.
AI Analysis
Technical Summary
The vulnerability (CVE-2026-40348) affects movary, a self-hosted movie tracking web app, in versions before 0.71.1. An authenticated user can supply a URL to the /settings/jellyfin/server-url-verify endpoint, which appends /system/info/public and sends a server-side HTTP request using Guzzle. There are no restrictions on internal or loopback addresses, enabling SSRF attacks that allow internal network probing and potential access to internal administrative or cloud metadata services. The issue is resolved in movary version 0.71.1.
Potential Impact
Exploitation allows any authenticated user to perform SSRF attacks, enabling internal network reconnaissance such as host discovery, port scanning, and service fingerprinting. This can expose internal services that are not directly accessible externally, potentially leading to further attacks. The vulnerability does not directly impact confidentiality or availability but can lead to high confidentiality impact by exposing internal network details.
Mitigation Recommendations
Upgrade movary to version 0.71.1 or later, where this SSRF vulnerability is fixed. Since no official patch link or advisory is provided, verify the upgrade from the vendor's official release notes or repository. Until upgraded, restrict authenticated user access or network access to sensitive internal services to reduce risk.
CVE-2026-40348: CWE-918: Server-Side Request Forgery (SSRF) in leepeuker movary
Description
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.
CVSS v3.1
Score 7.7high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability (CVE-2026-40348) affects movary, a self-hosted movie tracking web app, in versions before 0.71.1. An authenticated user can supply a URL to the /settings/jellyfin/server-url-verify endpoint, which appends /system/info/public and sends a server-side HTTP request using Guzzle. There are no restrictions on internal or loopback addresses, enabling SSRF attacks that allow internal network probing and potential access to internal administrative or cloud metadata services. The issue is resolved in movary version 0.71.1.
Potential Impact
Exploitation allows any authenticated user to perform SSRF attacks, enabling internal network reconnaissance such as host discovery, port scanning, and service fingerprinting. This can expose internal services that are not directly accessible externally, potentially leading to further attacks. The vulnerability does not directly impact confidentiality or availability but can lead to high confidentiality impact by exposing internal network details.
Mitigation Recommendations
Upgrade movary to version 0.71.1 or later, where this SSRF vulnerability is fixed. Since no official patch link or advisory is provided, verify the upgrade from the vendor's official release notes or repository. Until upgraded, restrict authenticated user access or network access to sensitive internal services to reduce risk.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T22:50:01.359Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e389f6bdfbbecc597650fb
Added to database: 4/18/2026, 1:41:10 PM
Last enriched: 4/26/2026, 2:40:01 AM
Last updated: 6/2/2026, 2:19:23 AM
Views: 110
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.