CVE-2026-42451: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in grimmory-tools grimmory
A stored cross-site scripting (XSS) vulnerability exists in Grimmory versions prior to 2. 3. 1 within its browser-based EPUB reader. An attacker can embed malicious JavaScript in a crafted EPUB file, which executes when a user opens the file, potentially allowing session token theft and account takeover, including administrative access. This vulnerability has been addressed in Grimmory version 2. 3. 1.
AI Analysis
Technical Summary
CVE-2026-42451 is a stored XSS vulnerability in the Grimmory digital library application before version 2.3.1. The flaw allows an attacker to embed arbitrary JavaScript in EPUB files that, when opened in Grimmory's browser-based reader, executes in the context of the user's session. This can lead to theft of session tokens and unauthorized account access, including administrative privileges if an administrator opens the malicious EPUB. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.3. The issue has been patched in version 2.3.1.
Potential Impact
Successful exploitation allows execution of arbitrary JavaScript in the victim's browser session, enabling session token theft and potential account takeover. Administrative accounts are at particular risk if they open the malicious EPUB file, potentially leading to full application compromise. The vulnerability affects confidentiality and integrity with limited impact on availability.
Mitigation Recommendations
Upgrade Grimmory to version 2.3.1 or later, where this vulnerability has been patched. Users should avoid opening EPUB files from untrusted sources until the update is applied. No other vendor advisory or temporary fixes are indicated.
CVE-2026-42451: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in grimmory-tools grimmory
Description
A stored cross-site scripting (XSS) vulnerability exists in Grimmory versions prior to 2. 3. 1 within its browser-based EPUB reader. An attacker can embed malicious JavaScript in a crafted EPUB file, which executes when a user opens the file, potentially allowing session token theft and account takeover, including administrative access. This vulnerability has been addressed in Grimmory version 2. 3. 1.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42451 is a stored XSS vulnerability in the Grimmory digital library application before version 2.3.1. The flaw allows an attacker to embed arbitrary JavaScript in EPUB files that, when opened in Grimmory's browser-based reader, executes in the context of the user's session. This can lead to theft of session tokens and unauthorized account access, including administrative privileges if an administrator opens the malicious EPUB. The vulnerability is rated medium severity with a CVSS 3.1 score of 6.3. The issue has been patched in version 2.3.1.
Potential Impact
Successful exploitation allows execution of arbitrary JavaScript in the victim's browser session, enabling session token theft and potential account takeover. Administrative accounts are at particular risk if they open the malicious EPUB file, potentially leading to full application compromise. The vulnerability affects confidentiality and integrity with limited impact on availability.
Mitigation Recommendations
Upgrade Grimmory to version 2.3.1 or later, where this vulnerability has been patched. Users should avoid opening EPUB files from untrusted sources until the update is applied. No other vendor advisory or temporary fixes are indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-27T13:55:58.693Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe6c74cbff5d86103b91bd
Added to database: 5/8/2026, 11:06:28 PM
Last enriched: 5/8/2026, 11:22:01 PM
Last updated: 5/9/2026, 1:19:44 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.