CVE-2026-23839
Cross-Site Scripting in Movary `categoryUpdated` Parameter
Publication date: 2026-01-19
Last updated on: 2026-02-03
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| leepeuker | movary | to 0.70.0 (exc) |
| leepeuker | movary | 0.70.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-23839 is a critical reflected Cross-Site Scripting (XSS) vulnerability in the movary web application versions prior to 0.70.0. It occurs due to insufficient input validation on the `categoryUpdated` URL parameter, allowing attackers to inject malicious JavaScript payloads. When a victim visits a crafted URL containing this payload, the malicious script executes in their browser, potentially stealing session cookies or performing unauthorized actions. [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript in the browsers of users who visit a maliciously crafted URL. This can lead to theft of session cookies, unauthorized actions performed on behalf of the user, and display of deceptive content. The impact is high on confidentiality and integrity, but it does not affect availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the `categoryUpdated` URL parameter for reflected Cross-Site Scripting (XSS). You can attempt to access URLs with payloads such as `http://LOCALHOST:8080/settings/account/locations?categoryUpdated=b<img src=1 onerror=alert(document.cookie)>` or `http://LOCALHOST:8080/settings/account/locations?categoryUpdated=b<img src=1 onerror=alert(document.domain)>` and observe if the JavaScript executes in the browser. Automated scanning tools that test for reflected XSS on query parameters can also be used. There are no specific command-line commands provided, but using curl or browser-based testing with these payloads can help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Movary to version 0.70.0 or later, where the vulnerability is fixed. Additionally, ensure proper sanitization and purification of the `categoryUpdated` parameter input before rendering it in the web page, following OWASP XSS prevention guidelines. Avoid using vulnerable versions (prior to 0.70.0) in production environments. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.