The Movary web application had multiple security vulnerabilities prior to version 0.71.1, allowing authenticated users to escalate their privileges and access sensitive user management endpoints.

🚨 EUVD-2026-23617 📊 Score: 7.7/10 (CVSS v3.1) 📦 Product: movary 🏢 Vendor: leepeuker 📅 Updated: 2026-04-18 📝 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoi... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23617 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23619 📊 Score: 8.8/10 (CVSS v3.1) 📦 Product: movary 🏢 Vendor: leepeuker 📅 Updated: 2026-04-18 📝 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for their own user... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23619 #cybersecurity #infosec #euvd #cve #vulnerability

🚨 EUVD-2026-23632 📊 Score: 8.8/10 (CVSS v3.1) 📦 Product: movary 🏢 Vendor: leepeuker 📅 Updated: 2026-04-18 📝 Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator ... 🔗 https://euvd.enisa.europa.eu/vulnerability/EUVD-2026-23632 #cybersecurity #infosec #euvd #cve #vulnerability