CVE-2026-23839 – This cross-site scripting vulnerability in Mova... (How to Fix)

Q: What is the severity of CVE-2026-23839?

CVE-2026-23839 has a CVSS score of 9.3 (CRITICAL). This cross-site scripting vulnerability in Movary allows attackers to inject malicious scripts via the 'categoryUpdated' parameter. Users running Movary versions before 0.70.0 are affected, potentially enabling session hijacking, credential theft, or website defacement.

📋 TL;DR

This cross-site scripting vulnerability in Movary allows attackers to inject malicious scripts via the 'categoryUpdated' parameter. Users running Movary versions before 0.70.0 are affected, potentially enabling session hijacking, credential theft, or website defacement.

💻 Affected Systems

Products:

Movary

Versions: All versions prior to 0.70.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interface of Movary instances accessible to users.

📦 What is this software?

Movary by Leepeuker

View all CVEs affecting Movary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, credential theft, installation of malware on user systems, or complete compromise of the Movary instance.

🟠

Likely Case

Session hijacking, credential theft, or website defacement affecting users who visit malicious links.

🟢

If Mitigated

Limited impact with proper input validation and output encoding in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly weaponized; exploitation requires user interaction with malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.70.0

Vendor Advisory: https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq

Restart Required: Yes

Instructions:

1. Backup your Movary instance. 2. Update to version 0.70.0 via git pull or download from releases. 3. Restart the web server/service. 4. Verify the update.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for the 'categoryUpdated' parameter to sanitize or reject malicious input.

Web Application Firewall

all

Deploy a WAF with XSS protection rules to block malicious requests.

🧯 If You Can't Patch

Restrict access to Movary instance to trusted networks only.
Implement Content Security Policy headers to mitigate XSS impact.

🔍 How to Verify

Check if Vulnerable:

Check if Movary version is below 0.70.0 via web interface or version file.

Check Version:

Check composer.json or version file in Movary installation directory.

Verify Fix Applied:

Confirm version is 0.70.0 or higher and test 'categoryUpdated' parameter with XSS payloads.

📡 Detection & Monitoring

Log Indicators:

Unusual requests to 'categoryUpdated' parameter with script tags or JavaScript code.

Network Indicators:

HTTP requests containing malicious scripts in query parameters.

SIEM Query:

http.uri_query contains "categoryUpdated" AND (http.uri_query contains "<script>" OR http.uri_query contains "javascript:")

📊 Metadata

CVE ID: CVE-2026-23839

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-20

EPSS Score: 0.09% exploit probability (25.1th percentile)

Published: January 19, 2026

Last Updated: February 3, 2026

🔗 References

https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L237 Product
https://github.com/leepeuker/movary/releases/tag/0.70.0 Release Notes
https://github.com/leepeuker/movary/security/advisories/GHSA-v32w-5qx7-p3vq Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23839, you might also want to check these: