CVE-2026-23841
Cross-Site Scripting in Movary `categoryCreated` Parameter
Publication date: 2026-01-19
Last updated on: 2026-02-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| unknown_vendor | movary | to 0.70.0 (exc) |
| unknown_vendor | movary | 0.70.0 |
| leepeuker | movary | to 0.70.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-23841 is a critical reflected Cross-Site Scripting (XSS) vulnerability in the Movary web application versions prior to 0.70.0. It occurs because the application does not properly validate or sanitize the input provided to the `?categoryCreated=` URL parameter. This allows attackers to inject malicious JavaScript code that is reflected back in the server response and executed in the victim's browser. For example, an attacker can craft a URL with a malicious payload that triggers JavaScript execution when visited, potentially stealing cookies or performing unauthorized actions. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including allowing attackers to execute arbitrary JavaScript in the context of a victim's browser. This can lead to theft of session cookies, unauthorized actions performed on behalf of the user, and displaying deceptive or malicious content. The confidentiality and integrity of user data can be compromised, although availability is not affected. The attack can be performed remotely over the network without any special privileges, but requires the user to interact with a malicious link. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by testing the vulnerable parameter `?categoryCreated=` with known XSS payloads to see if the application reflects and executes them. For example, you can use curl or a browser to send requests like: `curl 'http://LOCALHOST:8080/settings/account/locations?categoryCreated=a<img src=1 onerror=alert(document.cookie)>'` and observe if the payload executes in the browser. Monitoring HTTP requests for suspicious input in the `categoryCreated` parameter or scanning with web vulnerability scanners that test for reflected XSS on this parameter can also help detect the issue. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Movary to version 0.70.0 or later, where the vulnerability is fixed. If upgrading is not immediately possible, you should sanitize or purify the input to the `categoryCreated` parameter to prevent injection of executable code, following best practices such as those outlined in the OWASP Cross-Site Scripting Prevention Cheat Sheet. [1]