CVE-2025-52880

Name of the Vulnerable Software and Affected Versions: Komga versions 1.8.0 through 1.21.3

Description: A Cross-Site Scripting (XSS) issue has been found in Komga when serving EPUB resources. This allows an attacker to perform actions on the victim's behalf. If an admin user is targeted, it can be combined with server-side command control to achieve arbitrary code execution. The issue requires a malicious EPUB file to be present in a Komga library and accessed by an admin user in the Epub reader.

Recommendations: For versions 1.8.0 through 1.21.3, update to version 1.22.0 to resolve the issue. As a temporary workaround, consider restricting access to the EPUB reader for admin users until the update is applied. Avoid accessing malicious EPUB files in the Epub reader to minimize the risk of exploitation.