CVE-2024-39307 LOW

CVE-2024-39307: Cross-Site Scripting (XSS) vulnerability via crafted ebooks in Kavita

Vendor Kareadita

Product Kavita

Weakness CWE-79 · XSS

Published June 28, 2024

Last update August 2, 2024

View on NVD All CVEs

CVSS base score

3.5/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Kavita is a cross platform reading server. Opening an ebook with malicious scripts inside leads to code execution inside the browsing context. Kavita doesn't sanitize or sandbox the contents of epubs, allowing scripts inside ebooks to execute. This vulnerability was patched in version 0.8.1.

Key dates

02Disclosure timeline

June 28, 2024 CVE published

August 2, 2024 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-39307 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/79.html

Related vulnerabilities

04Related CVE

CVE-2021-24225 Advanced Booking Calendar < 1.6.7 - Authenticated Reflected Cross-Site Scripting (XSS) CVE-2021-43409 WPO365 | LOGIN - Wordpress Plugin Persistent Cross-Site Scripting CVE-2025-26575 WordPress Display Post Meta plugin <= 1.5- Cross Site Scripting (XSS) vulnerability CVE-2025-59004 WordPress WC Return products plugin <= 1.5 - Reflected Cross Site Scripting (XSS) vulnerability CVE-2025-66024 XWiki Blog Application home page vulnerable to Stored XSS via Post Title