CVE-2025-62614

Name of the Vulnerable Software and Affected Versions BookLore versions 1.8.1 and prior

Description BookLore is a self-hosted web app for managing book collections. Versions prior to a recent update have an authentication bypass issue in the BookMediaController. This allows unauthenticated users to access and download book covers, thumbnails, and complete PDF/CBZ page content without authorization. The issue stems from missing access control annotations on multiple media endpoints and the CoverJwtFilter continuing request processing even without an authentication token. This enables attackers to enumerate and exfiltrate book content, bypassing download permissions. The issue was addressed with commit b226c43.

Recommendations Update BookLore to a version later than 1.8.1.