Nixpkgs security tracker

Untriaged

Permalink CVE-2026-47202

9.3 CRITICAL

CVSS version (CVSS): 4.0
Attack Vector (AV): Network (N)
Attack Complexity (AC): Low (L)
Attack Requirement (AT): None (N)
Privileges Required (PR): None (N)
User Interaction (UI): None (N)
Vulnerable System Impact Confidentiality (VC): High (H)
Vulnerable System Impact Integrity (VI): High (H)
Vulnerable System Impact Availability (VA): Low (L)
Subsequent System Impact Confidentiality (SC): None (N)
Subsequent System Impact Integrity (SI): None (N)
Subsequent System Impact Availability (SA): None (N)
Modified Attack Vector (MAV): Network (N)
Modified Attack Complexity (MAC): Low (L)
Modified Attack Requirement (MAT): None (N)
Modified Privileges Required (MPR): None (N)
Modified User Interaction (MUI): None (N)
Modified Vulnerable System Impact Confidentiality (MVC): High (H)
Modified Vulnerable System Impact Integrity (MVI): High (H)
Modified Vulnerable System Impact Availability (MVA): Low (L)
Modified Subsequent System Impact Confidentiality (MSC): Negligible (N)
Modified Subsequent System Impact Integrity (MSI): Negligible (N)
Modified Subsequent System Impact Availability (MSA): Negligible (N)
Safety (S): Not Defined (X)
Automatable (AU): Not Defined (X)
Recovery (R): Not Defined (X)
Value Density (V): Not Defined (X)
Vulnerability Response Effort (RE): Not Defined (X)
Provider Urgency (U): Not Defined (X)
Confidentiality Req. (CR): Not Defined (X)
Integrity Req. (IR): Not Defined (X)
Availability Req. (AR): Not Defined (X)
Exploit Maturity (E): Not Defined (X)

created 5 days, 23 hours ago Activity log

Created suggestion 5 days, 23 hours ago

Kavita: Pre-Auth Account Takeover

Kavita is a cross platform reading server. Prior to 0.9.0.2, an Improper Token validation flaw permits a remote and unauthenticated threat actor to request a JWT for any user including admins given knowledge of their username. This vulnerability is fixed in 0.9.0.2.

References

https://github.com/Kareadita/Kavita/security/advisories/GHSA-m2v3-fcjh-hm22 x_refsource_CONFIRM
https://github.com/Kareadita/Kavita/releases/tag/v0.9.0.2 x_refsource_MISC

Affected products

Kavita

==< 0.9.0.2

Matching in nixpkgs

pkgs.kavita

Fast, feature rich, cross platform reading server

nixos-unstable 0.8.8.3
- nixpkgs-unstable 0.8.8.3
- nixos-unstable-small 0.8.8.3
nixos-25.11 0.8.7
- nixos-25.11-small 0.8.7
- nixpkgs-25.11-darwin 0.8.7

Package maintainers

@nevivurn Yongun Seong <nevivurn@nevi.dev>
@Misterio77 Gabriel Fontes <eu@misterio.me>

Suggestion detail

References

Affected products

Matching in nixpkgs

pkgs.kavita

Package maintainers