SecuriTricks - CVE-2025-52880

Description

Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.

Product(s) Impacted

Vendor	Product	Versions
Komga	Komga	1.8.0-1.21.3, 1.22.0

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-799

Improper Control of Interaction Frequency

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	komga	komga	1.8.0-1.21.3	/	/	/	/	/	/	/
a	komga	komga	1.22.0	/	/	/	/	/	/	/

References

https://github.com/gotson/komga/commit/5f9cc449b7846ed2066752c72c9ce7b20c3a85a7

https://github.com/gotson/komga/security/advisories/GHSA-m7mm-6jxp-2m4x

CVSS Score

4.2 / 10

CVSS Data - 3.1

Attack Vector: NETWORK
Attack Complexity: HIGH
Privileges Required: HIGH
Scope: UNCHANGED
Confidentiality Impact: NONE
Integrity Impact: HIGH
Availability Impact: NONE

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

View Vector String

Timeline

Published: June 24, 2025, 8:15 p.m.
Last Modified: June 24, 2025, 8:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

security-advisories@github.com

CVE-2025-52880