CVE-2026-44776

216.73.217.22

· Published 26/05/2026 18:16 · Modified 26/05/2026 19:19

Labels: CVE-2026-44776 2026-05-26 CVE-2026-44776 CWE-639 [email protected]

Essential information

Published: 26/05/2026 18:16
Modified: 26/05/2026 19:19
Author: —
Creator: —
CVSS: 5.9 MEDIUM (v3) 5.9 MEDIUM (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

Kavita is a cross platform reading server. Prior to 0.9.0, the download, size-check, and chapter metadata endpoints do not enforce library-level authorization. A low-privileged user who knows or guesses a chapterId, volumeId, or seriesId belonging to a library they are not assigned to can download the full file contents, query file sizes, and read metadata for that content. This affects /api/Download/volume-size, /api/Download/chapter-size, /api/Download/series-size, /api/Download/volume, /api/Download/chapter, /api/Download/series, and /api/Chapter. This vulnerability is fixed in 0.9.0.

NVD status

Status: Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
kavita / kavita	`cpe:2.3:a:kavita:kavita::::::::`