Kavita
by Kareadita
Source repositories
CVEs (8)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-47202 | Cri | 0.60 | — | 0.00 | May 26, 2026 | Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2. | ||
| CVE-2026-44775 | Med | 0.45 | — | 0.00 | May 26, 2026 | Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is… | ||
| CVE-2026-44776 | Med | 0.38 | — | 0.00 | May 26, 2026 | Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not… | ||
| CVE-2024-39307 | Low | 0.23 | 3.5 | 0.00 | Jun 28, 2024 | Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in… | ||
| CVE-2023-0919 | Hig | 0.00 | 8.1 | 0.00 | Feb 19, 2023 | Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. | ||
| CVE-2022-3993 | Cri | 0.00 | 9.4 | 0.01 | Nov 14, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. | ||
| CVE-2022-3945 | Med | 0.00 | 5.3 | 0.01 | Nov 11, 2022 | Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. | ||
| CVE-2022-2756 | Med | 0.00 | 6.5 | 0.02 | Aug 10, 2022 | Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. |
- risk 0.60cvss —epss 0.00
Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.
- risk 0.45cvss —epss 0.00
Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is…
- risk 0.38cvss —epss 0.00
Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not…
- risk 0.23cvss 3.5epss 0.00
Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in…
- risk 0.00cvss 8.1epss 0.00
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0.
- risk 0.00cvss 9.4epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3.
- risk 0.00cvss 5.3epss 0.01
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3.
- risk 0.00cvss 6.5epss 0.02
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1.