CVE-2026-47202

Summary

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.

Affected Software

VendorProductVersion RangeStatus
KareaditaKavita< 0.9.0.2affected

Weaknesses

  • CWE-287: CWE-287: Improper Authentication
  • CWE-345: CWE-345: Insufficient Verification of Data Authenticity
  • CWE-697: CWE-697: Incorrect Comparison

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References