Movary, a self-hosted movie tracking web application, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.71.1. The vulnerability exists in the POST /settings/jellyfin/server-url-verify endpoint which accepts user-controlled URLs without proper validation. Authenticated users can exploit this to make server-side requests to arbitrary internal targets, enabling internal network reconnaissance, host discovery, port scanning, and service fingerprinting. The vulnerability could potentially be used to access internal administrative services or cloud metadata endpoints not directly accessible from external networks. The issue has been fixed in version 0.71.1.