CVE-2026-40348

Name of the Vulnerable Software and Affected Versions Movary versions prior to 0.71.1

Description An authenticated user can trigger server-side requests to arbitrary internal targets via the '/settings/jellyfin/server-url-verify' endpoint. The application accepts a user-controlled URL, appends '/system/info/public', and sends an HTTP request using Guzzle. The lack of restrictions on internal hosts, loopback addresses, or private network ranges allows for Server-Side Request Forgery (SSRF), which is a flaw where a server is tricked into making requests to an unintended location. This can be used for internal reconnaissance, including host discovery, port-state probing, and service fingerprinting, and may allow access to internal administrative services or cloud metadata endpoints.

Recommendations Update to version 0.71.1. As a temporary workaround, restrict access to the '/settings/jellyfin/server-url-verify' endpoint to minimize the risk of exploitation.