CVE-2026-23840 – This cross-site scripting (XSS) vulnerability i... (How to Fix)

Q: What is the severity of CVE-2026-23840?

CVE-2026-23840 has a CVSS score of 9.3 (CRITICAL). This cross-site scripting (XSS) vulnerability in Movary allows attackers to inject malicious scripts via the 'categoryDeleted' parameter. Users of Movary versions prior to 0.70.0 are affected, potentially enabling session hijacking or credential theft.

📋 TL;DR

This cross-site scripting (XSS) vulnerability in Movary allows attackers to inject malicious scripts via the 'categoryDeleted' parameter. Users of Movary versions prior to 0.70.0 are affected, potentially enabling session hijacking or credential theft.

💻 Affected Systems

Products:

Movary

Versions: All versions prior to 0.70.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects web interface; requires user interaction with malicious link or page.

📦 What is this software?

Movary by Leepeuker

View all CVEs affecting Movary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers steal user sessions, compromise admin accounts, deface the application, or redirect users to malicious sites.

🟠

Likely Case

Attackers steal user authentication cookies or session tokens, leading to account takeover.

🟢

If Mitigated

Limited impact with proper content security policies and input validation, though XSS could still execute in user context.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

XSS vulnerabilities are commonly exploited; no public proof-of-concept identified but trivial to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.70.0

Vendor Advisory: https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57

Restart Required: Yes

Instructions:

1. Backup your Movary installation and database. 2. Download version 0.70.0 from GitHub releases. 3. Replace existing files with new version. 4. Restart the web server.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize the 'categoryDeleted' parameter.

Modify server-side code to escape HTML entities in user input.

Content Security Policy

all

Implement CSP headers to restrict script execution sources.

Add 'Content-Security-Policy' header with script-src directives.

🧯 If You Can't Patch

Deploy a web application firewall (WAF) with XSS protection rules.
Isolate Movary instance behind reverse proxy with input sanitization.

🔍 How to Verify

Check if Vulnerable:

Check if Movary version is below 0.70.0 via admin interface or version file.

Check Version:

Check 'composer.json' or version file in Movary installation directory.

Verify Fix Applied:

Test the 'categoryDeleted' parameter with XSS payloads; no script execution should occur.

📡 Detection & Monitoring

Log Indicators:

HTTP requests with 'categoryDeleted' parameter containing script tags or JavaScript.

Network Indicators:

Unusual outbound connections from Movary server post-XSS execution.

SIEM Query:

web.url:*categoryDeleted=* AND (web.url:*<script* OR web.url:*javascript:*)

📊 Metadata

CVE ID: CVE-2026-23840

CVSS v3 Score: 9.3 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

CWE: CWE-20

EPSS Score: 0.09% exploit probability (25.1th percentile)

Published: January 19, 2026

Last Updated: February 3, 2026

🔗 References

https://github.com/leepeuker/movary/blob/main/public/js/settings-account-location.js#L204 Product
https://github.com/leepeuker/movary/releases/tag/0.70.0 Release Notes
https://github.com/leepeuker/movary/security/advisories/GHSA-pj3m-gmq8-2r57 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-23840, you might also want to check these: