What is the CVSS score of CVE-2026-23839?

CVE-2026-23839 has a CVSS 3.1 base score of 9.3 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N. EPSS exploitation probability: 0.1%.

Which versions of Movary are affected by CVE-2026-23839?

Organizations using versions face critical risk from CVE-2026-23839, a input validation vulnerability rated CVSS 9.3.

Is there a public PoC exploit available for CVE-2026-23839?

Yes, a public proof-of-concept exploit is available for CVE-2026-23839. Prioritise patching immediately. EPSS: 0.1%.

Movary CVE-2026-23839

CRITICAL

Improper Input Validation (CWE-20)

2026-01-19 security-advisories@github.com

XSS Movary

9.3

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

9.3 CRITICAL

AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 03, 2026 - 14:48 vuln.today

Public exploit code

CVE Published

Jan 19, 2026 - 19:16 nvd

CRITICAL 9.3

DescriptionGitHub Advisory

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is ?categoryUpdated=. Version 0.70.0 fixes the issue.

AnalysisAI

Movary movie tracking application has an input validation flaw that allows authenticated users to read arbitrary files from the server, potentially exposing configuration files and secrets.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Craft malicious URL with XSS payload in categoryUpdated parameter

Delivery

Send link to Movary user

Exploit

User clicks link in browser

Execution

JavaScript executes in victim's session context

Impact

Steal session cookies or perform actions as user