NVD Vulnerability Detail

Search Exploit, PoC

NVD脆弱性検索トップ

->

NVD Vulnerability Detail

CVE-2026-44775

Summary	Kavita is a cross platform reading server. Prior to 0.9.0, the ReaderController.GetImage endpoint is decorated with [AllowAnonymous], allowing completely unauthenticated access to page images from any chapter in any library. While the endpoint accepts an apiKey parameter, it is never validated. Since entity IDs are sequential integers, an unauthenticated attacker can trivially enumerate all content on the server. This vulnerability is fixed in 0.9.0.
Publication Date	May 27, 2026, 3:16 a.m.
Registration Date	May 27, 2026, 4:08 a.m.
Last Update	May 27, 2026, 3:16 a.m.

Related information, measures and tools

No	URL	refsource	タグ
1	https://github.com/Kareadita/Kavita/blob/8c686df2dbc2d0a83120e8b3f8c1269107bb815d/API/Controllers/ReaderController.cs#L116	security-advisories@github.com
2	https://github.com/Kareadita/Kavita/security/advisories/GHSA-6gc9-6r8p-5wg2	security-advisories@github.com

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-306	重要な機能に対する認証の欠如解説	https://cwe.mitre.org/data/definitions/306.html