Skip to main content

Kavita

7 CVEs product

Monthly

CVE-2026-47202 CRITICAL PATCH Act Now

Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.

Authentication Bypass Kavita
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-44776 MEDIUM PATCH This Month

Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.

Authentication Bypass Kavita
NVD GitHub
CVSS 4.0
5.9
EPSS
0.0%
CVE-2026-44775 MEDIUM PATCH This Month

Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.

Authentication Bypass Kavita
NVD GitHub
CVSS 4.0
6.9
EPSS
0.1%
CVE-2023-0919 LOW POC PATCH Monitor

Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Kavita
NVD GitHub
CVSS 3.1
3.5
EPSS
0.5%
CVE-2022-3993 CRITICAL POC PATCH Act Now

Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kavita
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2022-3945 MEDIUM POC PATCH This Month

Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kavita
NVD GitHub
CVSS 3.1
5.3
EPSS
0.9%
CVE-2022-2756 MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Kavita
NVD GitHub
CVSS 3.1
6.5
EPSS
2.3%
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass in Kavita reading server versions prior to 0.9.0.2 allows remote unauthenticated attackers to obtain a valid JWT for any user account, including administrators, given only knowledge of the target username. The flaw stems from improper token validation logic and enables full account takeover without credentials. No public exploit identified at time of analysis, though SSVC rates technical impact as total and automatable.

Authentication Bypass Kavita
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Kavita reading server versions prior to 0.9.0 expose seven download and metadata API endpoints without enforcing library-level access controls, enabling authenticated users to retrieve file contents, file sizes, and chapter metadata from libraries they have not been granted access to. The affected endpoints - /api/Download/volume, /api/Download/chapter, /api/Download/series, /api/Chapter, and corresponding size-check variants - accept resource identifiers (chapterId, volumeId, seriesId) without verifying the requesting user's library membership. A proof-of-concept exists per SSVC classification, though EPSS at 0.04% (11th percentile) reflects minimal observed exploitation activity; the CVE is not listed in CISA KEV.

Authentication Bypass Kavita
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Unauthenticated content enumeration in Kavita reading server (all versions prior to 0.9.0) exposes every page image across all server libraries to remote attackers without any credentials. The ReaderController.GetImage endpoint is decorated with ASP.NET's [AllowAnonymous] attribute, and while it accepts an apiKey parameter as a nominal access control, that parameter is never validated server-side - rendering it entirely decorative. Sequential integer entity IDs allow trivial full-library enumeration with nothing more than an HTTP client. No public exploit or CISA KEV listing exists at time of analysis, but the zero-friction exploitation path makes any publicly exposed instance a meaningful data-exposure risk.

Authentication Bypass Kavita
NVD GitHub
EPSS 0% CVSS 3.5
LOW POC PATCH Monitor

Missing Authentication for Critical Function in GitHub repository kareadita/kavita prior to 0.7.0. Rated low severity (CVSS 3.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Authentication Bypass Kavita
NVD GitHub
EPSS 1% CVSS 9.8
CRITICAL POC PATCH Act Now

Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kavita
NVD GitHub
EPSS 1% CVSS 5.3
MEDIUM POC PATCH This Month

Improper Restriction of Excessive Authentication Attempts in GitHub repository kareadita/kavita prior to 0.6.0.3. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Kavita
NVD GitHub
EPSS 2% CVSS 6.5
MEDIUM POC PATCH This Month

Server-Side Request Forgery (SSRF) in GitHub repository kareadita/kavita prior to 0.5.4.1. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

SSRF Kavita
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy