Skip to main content

Movary CVE-2026-40348

| EUVD-2026-23617 HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-18 GitHub_M
SSRF Movary
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

8
Patch released
Apr 27, 2026 - 14:21 nvd
Patch available
Patch available
Apr 18, 2026 - 01:01 EUVD
Analysis Updated
Apr 18, 2026 - 00:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 18, 2026 - 00:22 vuln.today
cvss_changed
Analysis Generated
Apr 18, 2026 - 00:18 vuln.today
EUVD ID Assigned
Apr 18, 2026 - 00:15 euvd
EUVD-2026-23617
Analysis Generated
Apr 18, 2026 - 00:15 vuln.today
CVE Published
Apr 18, 2026 - 00:01 nvd
HIGH 7.7

DescriptionGitHub Advisory

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through POST /settings/jellyfin/server-url-verify. The endpoint accepts a user-controlled URL, appends /system/info/public, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.

AnalysisAI

Server-Side Request Forgery in Movary movie tracking application allows authenticated users to probe internal networks and metadata endpoints. The /settings/jellyfin/server-url-verify endpoint accepts user-controlled URLs without validating against private IP ranges, enabling internal reconnaissance through the server's context. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege user credentials
Delivery
Access Jellyfin settings page
Exploit
Submit crafted POST to /settings/jellyfin/server-url-verify with internal target URL
Install
Server-side Guzzle request reaches internal service
C2
Analyze response timing and content
Execute
Enumerate internal network topology and services
Impact
Extract sensitive data from metadata APIs or admin interfaces
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Attacker must possess valid authenticated user credentials to Movary - even low-privilege accounts can access the Jellyfin settings endpoint (CVSS PR:L indicates low-privilege user required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is moderate but highly deployment-dependent. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a standard user account on a Movary instance hosted in AWS EC2. They navigate to Jellyfin integration settings and submit POST requests to /settings/jellyfin/server-url-verify with URLs targeting http://169.254.169.254/latest/meta-data/ (AWS metadata service). …
Remediation Upgrade Movary to version 0.71.1 or later, which implements URL validation to prevent SSRF attacks (release notes: https://github.com/leepeuker/movary/releases/tag/0.71.1, fix commit: https://github.com/leepeuker/movary/commit/d459b3513293d41254f7093aef07010a8e5dcf04, patch implementation: https://github.com/leepeuker/movary/pull/751). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Verify current Movary version and inventory all affected deployments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-40348 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy