CVE-2026-7714

Summary

A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwa_functions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Affected Software

VendorProductVersion RangeStatus
crocodilestickCalibre-Web-Automated4.0.0affected
crocodilestickCalibre-Web-Automated4.0.1affected
crocodilestickCalibre-Web-Automated4.0.2affected
crocodilestickCalibre-Web-Automated4.0.3affected
crocodilestickCalibre-Web-Automated4.0.4affected
crocodilestickCalibre-Web-Automated4.0.5affected
crocodilestickCalibre-Web-Automated4.0.6affected

Weaknesses

  • CWE-306: Missing Authentication
  • CWE-287: Improper Authentication

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References