CVE-2025-52880 is a Cross-Site Scripting (XSS) vulnerability affecting the Komga media server, versions 1.8.0 through 1.21.3. Komga is an open-source media server designed for managing and serving digital comic books, mangas, BDs, magazines, and eBooks, including EPUB format files. The vulnerability arises specifically when serving EPUB resources either directly via the API or when accessed through the built-in EPUB reader. An attacker can exploit this flaw by introducing a maliciously crafted EPUB file into the Komga library. When an administrator user subsequently accesses this EPUB file using the reader, the embedded XSS payload executes in the context of the admin's session. This enables the attacker to perform actions on behalf of the admin user, potentially escalating privileges or manipulating server-side commands. The vulnerability is linked to CWE-799, which concerns improper control of interaction frequency, indicating that the application does not adequately restrict or sanitize repeated interactions or inputs, facilitating the XSS attack vector. Exploitation requires that the malicious EPUB be present in the library and that an admin user interacts with it, implying user interaction and high privileges are necessary. The vendor patched the issue in version 1.22.0. The CVSS v3.1 base score is 4.2 (medium severity), reflecting network attack vector, high attack complexity, required privileges, and user interaction. No known exploits are reported in the wild as of the publication date. The vulnerability primarily impacts confidentiality and integrity by allowing unauthorized actions under an admin context but does not affect availability directly. Given the potential for arbitrary code execution when combined with server-side command control, this vulnerability poses a significant risk if left unpatched in environments where Komga is used with administrative users accessing EPUB content.

For European organizations using Komga as a media server for digital publications, this vulnerability could lead to unauthorized administrative actions, including potential arbitrary code execution on the server hosting Komga. This risk is particularly relevant for organizations that manage sensitive or proprietary digital content, such as publishing houses, libraries, educational institutions, and media companies. The compromise of an admin account could lead to data manipulation, unauthorized content distribution, or server takeover, impacting data integrity and potentially confidentiality. Although the vulnerability requires user interaction by an admin, social engineering or insider threats could facilitate exploitation. The medium CVSS score suggests moderate risk, but the possibility of chaining this XSS with server-side command control elevates the threat level in practice. European organizations with centralized digital content management relying on Komga should be aware of this risk, as exploitation could disrupt operations or lead to intellectual property theft. Additionally, the vulnerability could be leveraged in targeted attacks against organizations with strategic digital assets, especially where Komga is deployed in multi-user environments with administrative access.

1. Immediate upgrade to Komga version 1.22.0 or later, which contains the official patch addressing this vulnerability. 2. Implement strict content validation and sanitization for all EPUB files before adding them to the Komga library to prevent malicious payloads from being introduced. 3. Restrict administrative access to the Komga server and limit the number of users with admin privileges to reduce the attack surface. 4. Employ network segmentation and firewall rules to limit Komga server exposure, especially restricting API access to trusted networks or VPNs. 5. Monitor logs for unusual activity related to EPUB file uploads and admin interactions with the reader to detect potential exploitation attempts. 6. Educate administrators on the risks of opening untrusted EPUB files within Komga and encourage verification of source integrity. 7. Consider deploying Web Application Firewalls (WAF) with custom rules to detect and block XSS payloads in HTTP requests/responses related to Komga. 8. Regularly audit and update all third-party components and dependencies used by Komga to minimize exposure to other vulnerabilities. These steps go beyond generic advice by focusing on content validation, access control, and monitoring tailored to the specific attack vector involving EPUB files and admin user interaction.