Movary is a self hosted web app to track and rate a user's watched movies. Prior to version 0.71.1, an ordinary authenticated user can trigger server-side reque…

Movary, a self-hosted movie tracking web application, contains a Server-Side Request Forgery (SSRF) vulnerability in versions prior to 0.71.1. The vulnerability exists in the POST /settings/jellyfin/server-url-verify endpoint which accepts user-controlled URLs without proper validation. Authenticated users can exploit this to make server-side requests to arbitrary internal targets, enabling internal network reconnaissance, host discovery, port scanning, and service fingerprinting. The vulnerability could potentially be used to access internal administrative services or cloud metadata endpoints not directly accessible from external networks. The issue has been fixed in version 0.71.1.