CVE-2025-64115

MEDIUM

Leepeuker Movary < 0.69.0 - Open Redirect

Title source: rule

Description

Movary is a web application to track, rate and explore your movie watch history. Versions up to and including 0.68.0 use the HTTP Referer header value directly for redirects in multiple settings endpoints, allowing a crafted link to cause an open redirect to an attacker-controlled site and facilitate phishing. This vulnerability is fixed in 0.69.0.

References (3)

[Exploit, Third Party Advisory] https://github.com/leepeuker/movary/security/advisories/GHSA-pm58-79jw-q79f

[Issue Tracking] https://github.com/leepeuker/movary/pull/713

[Patch] https://github.com/leepeuker/movary/commit/716f703b4464ffdb0365c406f3660d275495769f

View Patch ZIP pw:eip

Scores

CVSS v3 6.1

EPSS 0.0004

EPSS Percentile 10.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (1)

leepeuker/movary < 0.69.0

Published Oct 30, 2025

Tracked Since Feb 18, 2026