Kavita
Monthly
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.
Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.
Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.
Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.
Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.