Description

Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side requests to arbitrary internal targets through `POST /settings/jellyfin/server-url-verify`. The endpoint accepts a user-controlled URL, appends `/system/info/public`, and sends a server-side HTTP request with Guzzle. Because there is no restriction on internal hosts, loopback addresses, or private network ranges, this can be abused for SSRF and internal network probing. Any ordinary authenticated user can use this endpoint to make the server connect to arbitrary internal targets and distinguish between different network states. This enables SSRF-based internal reconnaissance, including host discovery, port-state probing, and service fingerprinting. In certain deployments, it may also be usable to reach internal administrative services or cloud metadata endpoints that are not directly accessible from the outside. Version 0.71.1 fixes the issue.

INFO

Published Date :

2026-04-18T00:01:09.725Z

Last Modified :

2026-04-18T00:01:09.725Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-40348 vulnerability.

Vendors Products
Leepeuker
  • Movary
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-40348.

URL Resource
https://github.com/leepeuker/movary/commit/d459b3513293d41254f7093aef07010a8e5dcf04 cve-icon cve-icon
https://github.com/leepeuker/movary/pull/751 cve-icon cve-icon
https://github.com/leepeuker/movary/releases/tag/0.71.1 cve-icon cve-icon
https://github.com/leepeuker/movary/security/advisories/GHSA-2m2v-v563-qqvj cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact