The Movary web application has multiple high-severity vulnerabilities that allow authenticated users to escalate privileges and access internal targets before version 0.71.1.

🟠 CVE-2026-40348 - High (7.7) Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. ... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40348/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-40350 - High (8.8) Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new admi... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40350/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

🟠 CVE-2026-40349 - High (8.8) Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can escalate their own account to administrator by sending `isAdmin=true` to `PUT /settings/users/{userId}` for thei... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-40349/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack