CVE-2026-40350Leepeuker · Movary
Vulnerability data via NVD (ingested)
Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can access the user-management endpoints `/settings/users` and use them to enumerate all users and create a new administrator account. This happens because the route definitions do not enforce admin-only middleware, and the controller-level authorization check uses a broken boolean condition. As a result, any user with a valid web session cookie can reach functionality that should be restricted to administrators. Version 0.71.1 patches the issue.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-40350product:"Leepeuker Movary"http.html:"Movary"More intel sources (5)
vuln:CVE-2026-40350vulnerabilities.cve_id: CVE-2026-40350CVE-2026-40350CVE-2026-40350"CVE-2026-40350" exploit -site:nvd.nist.gov