{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40348/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.7,"id":"CVE-2026-40348"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["ssrf","cve-2026-40348","movary","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMovary, a self-hosted web application for tracking and rating movies, is susceptible to a Server-Side Request Forgery (SSRF) vulnerability (CVE-2026-40348) in versions prior to 0.71.1. This flaw allows authenticated users to manipulate the \u003ccode\u003e/settings/jellyfin/server-url-verify\u003c/code\u003e endpoint to initiate server-side HTTP requests to arbitrary internal targets. The application uses the Guzzle HTTP client to send requests based on a user-supplied URL, to which \u003ccode\u003e/system/info/public\u003c/code\u003e is appended. The absence of input validation on the target URL allows attackers to bypass intended restrictions and access internal network resources. This vulnerability enables threat actors to perform internal reconnaissance activities such as host discovery, port scanning, and service fingerprinting. Successful exploitation can lead to further compromise by exposing internal administrative interfaces or cloud metadata endpoints.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the Movary web application with a valid user account.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL targeting an internal resource, such as \u003ccode\u003ehttp://127.0.0.1/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/settings/jellyfin/server-url-verify\u003c/code\u003e with the crafted URL as the \u003ccode\u003eserverUrl\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe Movary server receives the request and appends \u003ccode\u003e/system/info/public\u003c/code\u003e to the user-provided URL.\u003c/li\u003e\n\u003cli\u003eThe Movary server uses the Guzzle HTTP client to initiate an HTTP request to the modified URL (e.g., \u003ccode\u003ehttp://127.0.0.1/system/info/public\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe internal service at the targeted IP address responds to the Movary server.\u003c/li\u003e\n\u003cli\u003eBased on the HTTP response code and content, the attacker can infer the existence and status of internal services. This allows for port scanning and service fingerprinting.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages discovered services to escalate privileges, potentially accessing sensitive data or internal administrative panels.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of the SSRF vulnerability (CVE-2026-40348) in Movary can enable attackers to discover internal network infrastructure and identify vulnerable services. This can allow attackers to gain unauthorized access to sensitive information, pivot to other internal systems, or perform other malicious activities. Although no specific victim count is given, the impact of this vulnerability is potentially high for any organization using a vulnerable version of Movary.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Movary to version 0.71.1 or later to patch the SSRF vulnerability (CVE-2026-40348).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Movary SSRF Attempt\u003c/code\u003e to identify potential exploitation attempts in web server logs.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation and access controls to restrict access to sensitive internal services, limiting the impact of potential SSRF attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-18T00:16:38Z","date_published":"2026-04-18T00:16:38Z","id":"/briefs/2026-04-movary-ssrf/","summary":"Movary versions before 0.71.1 are vulnerable to server-side request forgery (SSRF) via the `/settings/jellyfin/server-url-verify` endpoint, allowing authenticated users to probe internal network resources.","title":"Movary SSRF Vulnerability (CVE-2026-40348)","url":"https://feed.craftedsignal.io/briefs/2026-04-movary-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40348","version":"https://jsonfeed.org/version/1.1"}