CVE-2025-52880

MEDIUM

Komga <1.21.3 - XSS

Title source: llm

Description

Komga is a media server for comics, mangas, BDs, magazines and eBooks. A Cross-Site Scripting (XSS) vulnerability has been discovered in versions 1.8.0 through 1.21.3 when serving EPUB resources, either directly from the API, or when reading using the epub reader. The vulnerability lets an attacker perform actions on the victim's behalf. When targeting an admin user, this can be combined with controlling a server-side command to achieve arbitrary code execution. For this vulnerability to be exploited, a malicious EPUB file has to be present in a Komga library, and subsequently accessed in the Epub reader by an admin user. Version 1.22.0 contains a patch for the issue.

References (2)

[Vendor Advisory] https://github.com/gotson/komga/security/advisories/GHSA-m7mm-6jxp-2m4x

[Patch] https://github.com/gotson/komga/commit/5f9cc449b7846ed2066752c72c9ce7b20c3a85a7

View Patch ZIP pw:eip

Scores

CVSS v3 4.2

EPSS 0.0014

EPSS Percentile 32.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-799

Status published

Products (1)

gotson/komga >= 1.8.0, < 1.22.0

Published Jun 24, 2025

Tracked Since Feb 18, 2026