Skip to main content

Koodo Reader

1 CVEs product

Monthly

CVE-2026-55408 HIGH PATCH This Week

Remote code execution in Koodo Reader (versions 2.3.0 and earlier) lets an attacker who supplies a malicious EPUB file run arbitrary OS commands with the victim's privileges once the book is imported and opened. The flaw combines a dangerously permissive Electron IPC handler (nodeIntegrationInSubFrames enabled) with unsanitized innerHTML rendering of chapter content, turning ebook display into a Node.js code-execution primitive. No public exploit has been identified at time of analysis; the issue is fixed in version 2.3.1 and is not listed in CISA KEV.

Code Injection Node.js RCE Koodo Reader
NVD GitHub
CVSS 4.0
8.4
EPSS
0.2%
EPSS 0% CVSS 8.4
HIGH PATCH This Week

Remote code execution in Koodo Reader (versions 2.3.0 and earlier) lets an attacker who supplies a malicious EPUB file run arbitrary OS commands with the victim's privileges once the book is imported and opened. The flaw combines a dangerously permissive Electron IPC handler (nodeIntegrationInSubFrames enabled) with unsanitized innerHTML rendering of chapter content, turning ebook display into a Node.js code-execution primitive. No public exploit has been identified at time of analysis; the issue is fixed in version 2.3.1 and is not listed in CISA KEV.

Code Injection Node.js RCE +1
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy