PT-2026-43353 · Kavita · Kavita
Zerosteiner
·
Published
2026-05-26
·
Updated
2026-05-26
·
CVE-2026-47202
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
Kavita versions prior to 0.9.0.2
Description
An improper token validation flaw allows a remote and unauthenticated attacker to request a JSON Web Token (JWT)—a compact, URL-safe means of representing claims to be transferred between two parties—for any user, including administrators, provided the attacker knows the target username.
Recommendations
Update to version 0.9.0.2.
Fix
Improper Authentication
Insufficient Verification of Data Authenticity
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Kavita