CVE-2025-52880

Published: Jun 24, 2025

Modified: Jun 24, 2025

PUBLISHED

CVSS v3.1

4.2

MEDIUM

Description

Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.

Vendor	Product	Versions
gotson	komga	affected `>= 1.8.0, < 1.22.0`

Weaknesses (CWE)

CWE-799

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

High

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/gotson/komga/security/advisories/GHSA-m7mm-6jxp-2m4x

x_refsource_CONFIRM

https://github.com/gotson/komga/commit/5f9cc449b7846ed2066752c72c9ce7b20c3a85a7

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-52880

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References