Description
TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.
Published: 2026-01-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Backend Access
Action: Immediate Patch
AI Analysis

Impact

TheLibrarian’s web_fetch tool can obtain the Adminer interface content, which can then be used to log into the internal backend system. This allows an attacker to bypass normal authentication mechanisms and gain unauthorised access to sensitive administrative resources, potentially exposing confidential data and permitting further malicious actions. The vulnerability relies on improper access control, enabling exploitation without authentication.

Affected Systems

The affected product is TheLibrarian.io, a web management platform. All versions currently impacted have been rectified by the vendor; no specific version list is provided, but any installation not upgraded is vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact and medium exploitation complexity. The EPSS score of less than 1% suggests a very low likelihood of exploitation in the wild at present, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, exploiting the public web_fetch endpoint to retrieve the Adminer content. Once the content is obtained, an attacker can craft a login to the backend, achieving unauthorized access to administrative controls.

Generated by OpenCVE AI on April 18, 2026 at 05:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch that fixes the web_fetch/Adminer content retrieval issue.
  • Disable or restrict access to the Adminer interface through firewall rules or network segmentation.
  • Verify that internal backend authentication requires valid credentials and cannot be forged from retrieved content.
  • Regularly monitor logs for unexpected login attempts from unfamiliar IP addresses.

Generated by OpenCVE AI on April 18, 2026 at 05:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 18 Apr 2026 06:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284

Fri, 23 Jan 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Thelibrarian the Librarian
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:thelibrarian:the_librarian:-:*:*:*:*:*:*:*
Vendors & Products Thelibrarian the Librarian

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Thelibrarian
Thelibrarian thelibrarian
Vendors & Products Thelibrarian
Thelibrarian thelibrarian

Sun, 18 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 22:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Fri, 16 Jan 2026 13:00:00 +0000

Type Values Removed Values Added
Description TheLibrarians web_fetch tool can be used to retrieve the Adminer interface content, which can then be used to log into the internal TheLibrarian backend system. The vendor has fixed the vulnerability in all affected versions.
Title CVE-2026-0616
References

Subscriptions

Thelibrarian The Librarian Thelibrarian
cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-01-16T21:40:36.626Z

Reserved: 2026-01-05T17:42:09.153Z

Link: CVE-2026-0616

cve-icon Vulnrichment

Updated: 2026-01-16T21:40:00.476Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-16T13:16:11.960

Modified: 2026-01-23T16:59:34.530

Link: CVE-2026-0616

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T06:00:08Z

Weaknesses